Before the Exchange 2013 migration project moves into the co-existence phase, where production services are provided from both the Exchange 2010 and 2013 servers, there are some final checks and configurations that should be performed.
General Health Check
Before any migration or cutover of services it pays to verify that the current Exchange Server 2010 environment is in good health. This avoids potential support confusion if a service is cutover to Exchange 2013, is found to be not working, and then it is unknown whether the service was already faulty or whether it was the cutover that caused the fault to occur.
Here are a few suggestions:
- Run Test-ExchangeServerHealth.ps1 to perform a health check of the servers
- Use the ExRCA tools to test external access
- Note that the ActiveSync test may fail on the final step if your ActiveSync mailbox policy does not allow non-provisionable devices. Either use a different mailbox policy for the test user you use for ExRCA, or use a mobile device to perform the testing instead.
- Confirm that backups for Exchange 2010 are functioning correctly
- Review the Exchange 2010 server event logs for any unusual errors
- Launch Outlook for a new test user and verify that Autodiscover works correctly
- Test Exchange Web Services by doing free/busy lookups
- Verify that mail flow between existing servers is healthy. If you have a large/complex environment you can use my mail flow heat map script for this.
Configure Outlook Anywhere
During co-existence all Outlook connections to mailboxes are via the Exchange 2013 Client Access servers using RPC-over-HTTPS (Outlook Anywhere), even internal connections.
If Outlook Anywhere was not previously used in your Exchange 2010 organization it needs to be enabled and configured.
If Outlook Anywhere was already enabled and configured, it needs to be checked to confirm that the correct authentication settings are in place to allow Exchange 2013 to proxy connections to Exchange 2010 for users who have not yet been moved to Exchange 2013.
For the Exchange Server Pro organization the servers are configured as follows:
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,externalhostname,*auth* ServerName : HO-EX2010-MB1 ExternalHostname : mail.exchangeserverpro.net ClientAuthenticationMethod : Basic IISAuthenticationMethods : {Basic} ServerName : HO-EX2010-MB2 ExternalHostname : mail.exchangeserverpro.net ClientAuthenticationMethod : Basic IISAuthenticationMethods : {Basic} ServerName : BR-EX2010-MB ExternalHostname : mail.exchangeserverpro.net ClientAuthenticationMethod : Basic IISAuthenticationMethods : {Basic}
The IISAuthenticationMethods need to be updated to include NTLM.
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | %{Set-OutlookAnywhere "$_RPC (Default Web Site)" -IISAuthenticationMethods Basic,NTLM}
Configure Virtual Directories
The Exchange 2013 Client Access server virtual directories should be checked to ensure they are configured correctly for your environment.
The Exchange Server Pro organization has OWA and ECP virtual directories configured for Basic and Integrated authentication, and uses Forefront TMG to publish them to the internet with Forms-based Authentication. Therefore, the OWA/ECP virtual directories for Exchange 2013 also need to be configured the same way so that the TMG publishing can continue to work.
This is particularly important for TMG authentication delegation to continue working. Using a different authentication type for Exchange 2013 potentially means the TMG configuration also needs to be re-assessed.
For more information on publishing Exchange 2013 with TMG see the following article:
For organizations that are simply NATing port TCP 443 (HTTPS) to the Client Access servers then this is less of an issue and changing authentication types likely has no other significant technical considerations.
Communicate Changes to Users
This may seem obvious but communicating the upcoming changes to end users is important. Particularly for OWA, which will present the Exchange 2013 OWA logon to Exchange 2010 users once the OWA namespace is pointed at the Exchange 2013 CAS and it is pre-authenticating and proxying connections to Exchange 2010. Naturally the OWA interface itself is new in Exchange 2013, so some training or documentation updates for end users may be wise.
Other than that, as long as you’re re-using the same namespaces as the existing Exchange organization there is not likely to be any other user-visible changes that need communicating.
In the next part of this series we’ll begin cutting over the Client Access namespaces to Exchange 2013.
Hi Paul
First of all, thanks for this great article.
I m actually working on a 2010/2016 migration and i m facing strange problems with Outlook client.
We have Outlook 2010/2013 and 2016 in place. We have configured some GPO for forcing a group of user to use RPC/HTTP. On Outlook 2013 clients, everything seems OK, we can see in the profile that the client is actually using the right RPC/HTTP parameters. But in Connection Status, it displayed RPC/TCP !
Outlook 2010 clients are working using RPC/HTTP as expected.
We tried to recreate the profile on Outlook 2013 but still display RPC/TCP in Connection Status.
Anybody faced the same thing ?
Thanks for ideas
Outlook
Hi.
In the organization they want to place Edge Transport server behind TMG and publish it to the internet.I couldn’t create a rule which provide successful access.The inbound traffic reach Edge server but no answer return back from Edge although all outbound traffic from Edge to internet are allowed by a rule.
I want to know that is publishing Edge in this manner is possible at all or not?
Thank you so much for answering my questions.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes it’s possible. Sounds like a routing problem to me. You should look into that further.
TMG is well out of support though, so it depends if you want to spend any more time trying to get TMG working.
Paul,
We already migrated all mailbox cloud, now we are in plan to decommission the exchange servers and retain only hybrid servers ,please let us know the process to move the exchange certificates to hybrid servers without affecting outlook connectivity.
Bala
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can export the SSL certificate from an Exchange server to import it into other Exchange servers.
Thank you Paul , As per your comment ill try with that
Another one is we are using F5 server for Load balancing the Client access , we added two CAS server into it with round robin method , the thing is we need to decommission that two servers and include the hybrid servers , could you please give proper way to add and remove the old servers from F5.
Thanks,
Bala
If we are installing a Exch 2013 server into our Exch 2010 environment with the goal of it eventually functioning as a hybrid server to O365 – and it’s not going to be hosting any actual mailboxes, just acting initially to proxy to our Exch 2010 servers – do we still need to setup Outlook Anywhere (we don’t currently have it enabled)?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I always do, because it’s easier that way and I’ve had projects run into weird problems when they try to skip that step.
If 2013 is proxying to the 2010 cas servers, and the send connector for outgoing email to the internet is on one of the cas servers – once 2013 is installed will the routing tables get updated so the 2013 box will know to direct outgoing email to the 2010 cas server and it’s send connector or do I need to setup a new send connector on the 2013 server??
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
CAS proxying and transport/mail flow are two separate things. Any Exchange server in the org will be aware of the available routes for outgoing email (ie the send connectors) and will route mail accordingly.
Nope. I had to add the 2013 server to the existing Send Connector under scoping, source server.
Email to internet was queuing up. As soon as I made that change it cleared up.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Then it’s likely you’ve got an SMTP connectivity or mail flow problem from the 2013 server to the 2010 server. If you send email from a mailbox on the 2013 server to a mailbox on the 2010 server does it work or get stuck in a queue?
Hi Paul
Currently coexisting 2010 and 2013 servers and have updated internal dns and firewall to route port 443 and mail.domain.com traffic to new 2013 server. Mobile devices have stopped working since this change so had to revert back so dns and firewall nat rule point to old 2010 CAS.
Any ideas on what I’ve missed here?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No idea, because I don’t know what steps you followed to get to that point in your migration.
Use the Activesync test at ExRCA.com to test the 2013 server. That should give you some clues.
Silly question but I have seen differing answers and opinions….
Can I install Exchange 2013 in to my 2010 environment and not make any DNS changes for a few days. (Do all testing via hosts file) and have it not affect my existing Outlook clients?
I have seen where people said they were hitting the new 2013 cas servers even though they had not made any DNS changes.
Thanks
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What they’re probably referring to is this:
https://www.practical365.com/outlook-certificate-security-alert-exchange-server-2013-installation/
And yes, you can use a hosts file to test DNS changes before you make them.
https://www.practical365.com/testing-connectivity-and-dns-changes-with-a-hosts-file/
Hey Paul,
I’ve got a similar situation that Tussef has. I created a new mailbox on the 2013 server and migrated a test mailbox from the 2010 to 2013 server. I’m able to send/receive internal and external mail, but it keeps popping up with the username/password box. I believe it’s asking for credentials for the Public Folders (that are still on the 2010) server.
I bought your migration guide and went through it step by step without any issues. I even went through the steps in your above post to configure Outlook Anywhere. Everything is set to NTLM on both the legacy server and new server. The only difference that I see is that one of my 2010 servers is missing the RCP and RcpWithCert virtual directory, even though Outlook Anywhere is enabled and RCP over HTTP has been installed on the server.
Any thoughts?
Hello,
Can you help me, in the scenario of coexistence Exchange 2010/2013 What is the configuration of OutlookAnywhere to be used, because I constantly have a window login / password that appears every time I run an Outlook client (Mailbox Server is Exchange2010).
according to the microsoft site (https://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2718-W-FQCEAgAAQAAAAQEDAQAAAAQAAAAA)
Config OutlookAnywhere 2010:
$Exchange2013HostName = “mail.contoso.com”
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}
Config OutlookAnywhere 2013 ():
Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.domain.com -InternalHostname mail.domain.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Outlook Anywhere must be enabled on the Exchange 2010 CAS, and configured per Microsoft’s guidance for co-existence.
The other possible causes of auth popups are if you have an Autodiscover SCP, or an EWS virtual directory, that has been misconfigured for its URL or doesn’t match the SSL cert on the server.
Hi thks for your tutorial.
I’ve a strange behaviour in my migration from 2010 to 2013. After movin url to the 2013 serveur , my test users whose mailbox are on the 2010 can access it only from outlook or activesync but owa doesn’t work. It seems to not being proxified by 2013. I don’t see where is the pb… coukd you have any ideas ?
Thanks for your help
Paul,
Is there anyway to test the DNS changes without actually making the change in dns and have a user whos mailbox still resides in 2010, use 2013 CAS ?
I tried modifying the host record of the pc but when i try to open the mailbox it says “cannot stat micrsoft outlook, set of folders cannot be opened attempt to log on to msft exchange has failed”
these are the names i changed in the host file
webmail.internalcompany.com activesync.internalcompany.com casarray.lmc.com autodiscover.internalcompany.com webmail1.internalcompany.com
I pointed these names to the new f5 vip that i configured(using an iapp) for exchange
to rule out the f5 i also tried pointing the names directly to one of the 2k13 client access servers and it doesnt work, and it at least should work like this no?
The environment currently internally uses casarray.internalcompany.com for outlook access using 2010 cas array windows nlb.
the new 2013 is using an f5 vip that was created using the iapp.
Running your auth script up there i noticed that on the 2010 cas severs the clientauth and iisauth methods are set to only use Basic. not Sure if this matters for this issue.
Currently all mail flow is working through 2013, in/out to the internet. OWA is still pointed to 2010 though.
Also one other thing i noticed is that when i run the
Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
there is nothing configured for these urls.
Any ideas?
I am having an issue that I am currently on the phone with Microsoft trying to resolve. Outlook Anywhere is not working for internal and external users. I have already completed the migration from Exchange 2010 to 2013 and the 2010 server has been removed per your migration procedures. Internal clients are able to connect to Ex2013 and can send/receive emails both internally and externally. When a user opens Outlook the connection status window shows that it tries to connect using RPC/HTTP then it fails and tries RPC/TPC where it succeeds. According to Microsoft Exchange 2013 does not use RPC/TPC anymore. Is this correct? Should my clients be able to connect using RCP/TCP?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Microsoft is correct, Outlook clients connect to Exchange 2013 using Outlook Anywhere (RPC over HTTP).
RESOLVED:
There were two registry keys that were missing on the Exchange Server.
– HKLMSoftwareMicrosoftRPCRPCProxy
o ValidPorts_AutoConfig_Exchange
String Value = localhost:6001;EXCH1:6001:EXCH1.DOMAIN.LOCAL:6001
(where EXCH1 is the name of the exchange server)
o Website
String Value = Exchange Back End
– In ADSI a value was not set correctly:
o ConfigurationServicesMicrosoft ExchangeUpperLakePSAdministrative GroupsExchange Administrative GroupsServersULPSEXCH1ProtocolsCN=HTTPCN=RPC
msExchRpcHttpFlags value was changed from 0 to 1.
Once these changes were made clients connections changed from RPC/TCP to RPC/HTTP.
Other issues this resolved:
1. OAB entry missing from Autodiscover causing OAB download to fail.
2. Client unable to access Public Folders
3. Client unable to open auto-mapped managed folders
If Outlook Anywhere on Exchange 2010 is already configured with NTLM only, do I need to add the Basic authentication method as well?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No.
Hi Paul,
Very useful series indeed !
I’m in the process of migrating a customer with thousands of mailboxes from Exchange 2010 to 2013.
Problem : in their initial design they were in situation of “ambiguous URLs” (the cas array fqdn being the same as the URLs) : mail.example.com.
This prevents the coexistence.
Instead of renaming the cas-array, having forced HTTPS connection on outlook clients before etc as suggested in (http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-to-exchange-2013-migrations.aspx)
… Do you think I could setup different URLs for Outlook Anywhere on the 2010 and 2013 servers, with of course the corresponding entries in the certificates ?
And should I change the internal (domain CA) certificate only ?
Thanks Paul.
I take it that when Exchamge 2013 proxies connections for users whose mailboxes are still on an Exchange 2010 server, it requires NTLM authentication to do so. Is that it?
Hi Paul,
Our Exchange 2010 server is already using RPC/HTTP for all connections (internal and external) with only Basic auth enabled, which works fine. Why is it that “The IISAuthenticationMethods need to be updated to include NTLM”?
Thanks!
M.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
As it says in the article:
“If Outlook Anywhere was already enabled and configured, it needs to be checked to confirm that the correct authentication settings are in place to allow Exchange 2013 to proxy connections to Exchange 2010 for users who have not yet been moved to Exchange 2013.”
Pingback: Exchange 2013 coexistence environment and Outlook infrastructure | Part 2/2 - o365info.com
Hi Paul,
I already posted a question on one of your other articles, but with this part I also have some problems. Since I have enabled Outlook Anywhere Users connect to the domain and accessing their mailbox over a LAN connection (so they are in the office) they get a logon dialogue box everytime they start outlook.
It happens for users connecting through Exchange 2010 CAS to their Exchange 2010 mailbox and for user accessing their Exchange 2013 mailbox through Exchange 2013 CAS, Do you have any idea what I haven’t configured correctly for internal users?
Regards,
Erik
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
It’s possible that your auth settings are incorrect (eg Basic is being used) or that a certificate issue is causing the problem.
Hi Paul,
Thanks for your reply! It turned out to be none of that all. Apparently changes made to Outlook Anywhere take a while to propagate through. At the and of the day I decided to set/check all the Outlook Anywhere settings as recommended (which I already did before) and call it a day. When I left a few users were still experiencing problems.
When I returned to the office the following day, all the issues were gone! So my lesson: Patience is key! After configuring Outlook Anywhere, leave it and let the settings propagate throughout the Enterprise.
Regards,
Erik
Hi Paul,
I have a weird issue which I would like to share with you and to se if you have an idea of what might be happening.
My issue is related to Outlook Anywhere
My external URL is configured to “mail.domain.com” however when I configure my outlook, I find that the name of exchange server is being resolved as “mail2.domain.com” even if you manually type in “mail.domain.com”
would you know how this is possible? the only place where mail2 is referenced is in our Local DNS. It has been setup as an “A” record pointing to CAS array.
Your help would be greatly appreciated.
Just an update, I ran the MS Remote Connectivity Analyser and I found this on one of the tests
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://mail.domain.com:443/Autodiscover/Autodiscover.xml for user user@domain.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
first surname
/o=IAHC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=First Surname652
c40d0824-a038-42b1-b640-4dc03c3e9a74
email
settings
EXCH
mail2.domain.com
/o=IAHC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=mail2.domain.com
7383807B
/o=IAHC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=mail2.domain.com/cn=Microsoft Private MDB
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Are you talking about an Exchange 2010 mailbox user or an Exchange 2013 mailbox user?
Hi Paul,
This is an Exchange 2010 Mailbox user
Hi Paul,
These are exchange 2010 mailbox users
Hi Paul,
After some research, I found why my outlook clients were resolving to mail2.domain.com when you specified mail.domain.com as the server during the configuration of the email profile.
In Exchange 2010, outlook connects to the mailbox databases, therefore there is an attribute in the databases called “RPCClientAccess” which is passed to outlook when It attempts to connect to the mailbox database which hosts the users mailbox…. in my case the attribute “RPCClientAccess” was set to mail2.domain.com.
I further identified that the FQDN of the CAS array was also configured as mail2.domain.com so I can only assume that when a database gets created the attribute “RPCClientAccess” automatically gets configured with mail2.domain.com
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Basically yes.
https://www.practical365.com/exchange-server-2010-cas-array/
Paul-
You upgrade guide is great. I am running into an issue in my test environment. I cut over the name space and OWA, ActiveSync, and Outlook Anywhere are working great but I cannot connect to any mailboxes on my Exchange 2010 server via IMAP or POP. Mailboxes on Exchange 2013 work fine. I can connect directly to the Exchange 2010 CAS/Hub servers and IMAP and POP work fine.
I enabled IMAP logging and it is telling me bad username and password even though it is the exact same password in the config on Thunderbird. All I am doing is changing the host I am pointing my client to.
Thanks,
Adam
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I would say that one of your auth or security settings in POP and IMAP on Exchange 2013 are not set the same way you have them in 2010. Also keep in mind those services aren’t enabled by default, you have to start them up yourself.
Hi Paul,
I’ve been following your guide for a 2010 to 2013 migration.
I’m in the process of cutting over the namespaces currently, and have got most of them across and working via Exchange 2013.
One service I’ve neglected to think about though is EWS.
Currently there are line of business apps using EWS, and the internal URI they use is that specified on the 2010 CAS servers.
The URI is https://casarray.domain.local/EWS/Exchange.asmx
This points to an A record, which in turn points to a VIP for the load balanced 2010 CAS servers.
The new internal and external URI on the 2013 servers is :
https://mail.domain.com/EWS/Exchange.asmx
This points a split internal DNS zone A record, which points to the new servers load balancer VIP.
If I change the URI used within LOB apps, and specify the new 2013 internal URI will this be sufficient to transition the EWS services across to the new servers?
Thanks
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes. Because you have an ambiguous namespace issue (ie you’ve used the same namespace for RPC as you have for HTTPS) the best way forward is to update your apps to use the new HTTPS URL during the cutover.
Paul,
Your instructions state:
“If Outlook Anywhere was not previously used in your Exchange 2010 organization it needs to be enabled and configured.”
Can you explain why this would be necessary? I’m not sure this configuration is approved in my current environment and would like to have a better understanding of what’s going on.
Thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Outlook connects to Exchange 2013 using HTTPS (Outlook Anywhere) even internally.
For Exchange 2013 to be able to proxy connections to Exchange 2007/2010 servers (when that is necessary) it makes an Outlook Anywhere connection to the 2010 CAS.
So OA needs to be enabled on the 2007/2010 CAS and configured with the correct auth settings.
Whether you actually open up OA access from the *internet* is an entirely different matter of course.
Hi Paul,
As you stated above
“So OA needs to be enabled on the 2007/2010 CAS and configured with the correct auth settings”
Can you explain what would be the correct auth settings for Exchange 2010 & 2013 for seemless switchover.
Thanks in Advance !!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The correct settings are explained in the article.
Hi Paul,
My 2010 Exchange server is part of my domain but is hosted by a 3rd party in a separate AD site. We use split brain DNS. The Internal autodiscover record points to the internal IP of the Exchange server and the public autodiscover record points to mycompany.hostingcompany.co.uk. Our MX record points to messagelabs which then forwards the filtered emails on to the Exchange server. The virtual directory URLS are currently in the format
Internal External
Autodiscover https://mycompany.hostingcompany.co.uk
OWA https://hostname.mycompany.co.uk https://mycompany.hostingcompany.co.uk
ECP https://hostname.mycompany.co.uk https://mycompany.hostingcompany.co.uk
Outlook Any https://mycompany.hostingcompany.co.uk
OAB https://mycompany.hostingcompany.co.uk https://mycompany.hostingcompany.co.uk
Active Sync https://hostname.mycompany.co.uk https://mycompany.hostingcompany.co.uk
EWS https://mycompany.hostingcompany.co.uk https://mycompany.hostingcompany.co.uk
I am planning to install a 2013 Exchange server in my primary AD site, and I would like the virtual directories to be in the format https://mail.mycompany.co.uk in preparation for ending the contract with the hosting company and removing the Exchange 2010 server. If I configure the new format URLs on the 2013 server, will this break access for clients either before or after migrating their mailbox to the 2013 server?
Also, I want to move the mailboxes gradually from the 2010 server to the 2013 server. Regarding your comment “During co-existence all Outlook connections to mailboxes are via the Exchange 2013 Client Access servers using RPC-over-HTTPS (Outlook Anywhere), even internal connections.” Does this mean that clients working out of the office will enter via the 2010 server (as per the public autodiscover record) then be directed to the 2013 server only to be proxied back to the 2010 server?