Upgrade from Exchange 2007 Client Access

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

When you're upgrading your existing Microsoft Exchange Server 2007 organization to Exchange Server 2010, there's a period of time when both Exchange 2007 and Exchange 2010 will coexist within your organization. This topic describes the various steps you must take to upgrade an Exchange 2007 organization to Exchange 2010.

Note:
The information provided in this topic is applicable regardless of whether you have Exchange Server 2003 mailbox servers within your Exchange 2007 organization. For information about upgrading an organization running only Exchange 2003 to Exchange 2010, see Upgrade from Exchange 2003 Client Access.

Important:
When you upgrade your organization to the RTM version of Exchange 2010, your clients running Outlook 2003 don’t use RPC encryption, and RPC Client Access requires it by default. This can cause connection issues between Exchange 2010 and Outlook 2003. In Exchange 2010 SP2, RPC Client Access doesn't require RPC encryption by default. If you have Outlook 2003 clients within your organization, we recommend that you install Exchange 2010 SP2 to avoid connection issues between Exchange 2010 RTM and Outlook 2003. For more information, see Understanding RPC Client Access.

Important:

When you upgrade your organization to the RTM version of Exchange 2010, your clients running Outlook 2003 don’t use RPC encryption, and RPC Client Access requires it by default. This can cause connection issues between Exchange 2010 and Outlook 2003. In Exchange 2010 SP2, RPC Client Access doesn't require RPC encryption by default. If you have Outlook 2003 clients within your organization, we recommend that you install Exchange 2010 SP2 to avoid connection issues between Exchange 2010 RTM and Outlook 2003. For more information, see Understanding RPC Client Access.

Overview of the Upgrade Process

The upgrade process includes the following steps:

Installing Exchange 2010 within your organization on new hardware.
Configuring Exchange 2010 Client Access.

Creating a set of legacy host names that will be associated with the version of Exchange you're upgrading from.

Note:
Your legacy host name should be in the format "legacy.contoso.com", where contoso.com matches your current host name.

Note:
Configuring a legacy host name is necessary only if you'll need Exchange 2007 and Exchange 2010 to coexist in the same organization. If you have a small number of mailboxes and can move all your mailboxes from Exchange 2007 to Exchange 2010 during the downtime you've scheduled for the upgrade, this step isn't necessary.

Obtaining a digital certificate with the names you'll use during the coexistence period and installing it on your Exchange 2010 Client Access server.
Associating your current host names, for example: mail.contoso.com, with your Exchange 2010 infrastructure.
Moving mailboxes from Exchange 2007 to Exchange 2010.
Decommissioning your Exchange 2007 infrastructure.

Note:
Throughout this topic, mail.contoso.com will be used as the primary namespace and legacy.contoso.com will be used as the legacy namespace. When you perform your upgrade, you'll substitute the names of your own primary and legal namespaces.

Understanding Legacy Host Names

An important part of the upgrade process is configuring a legacy host name and associating that host name with your Exchange 2007 infrastructure. This is a necessary step if your organization has a significant number of mailboxes that can't all be moved from Exchange 2007 to Exchange 2010 during the downtime scheduled for the upgrade and if your organization supports Outlook Web Access for Internet users.

If your organization has a small number of mailboxes, and you're able to schedule downtime over an evening or a weekend, you can skip the step of configuring a legacy host name and move all mailboxes during this downtime. Doing this eliminates the need for Exchange 2007 and Exchange 2010 to coexist.

You'll have to configure a legacy host name to be published to the Internet and associated with the virtual directories of the various services you have on Exchange 2007, such as Microsoft Exchange ActiveSync, Microsoft Outlook Web Access, POP3, and IMAP4 if:

You have a significant number of mailboxes to move from Exchange 2007 to Exchange 2010

or
You don't want to move all mailboxes at once

and
You have users who access Outlook Web Access from the Internet.

After a legacy host name has been configured and associated with your Exchange 2007 infrastructure, and your current host name has been associated with your Exchange 2010 infrastructure, users will experience a seamless transition. Exchange 2010 will redirect users from the Exchange 2010 Client Access server to the Exchange 2007 Client Access server. Users won't have to learn a new URL to access Outlook Web Access (called Outlook Web App in Exchange 2010) or reconfigure their Exchange ActiveSync devices. POP3, IMAP4, and Outlook Anywhere users can also continue to access their mailboxes without interruption.

How to create a legacy host name

The steps to perform this task will vary for each organization. That's because the exact steps depend on your Internet provider and firewall configuration. Example steps for GoDaddy are provided below to give you an idea of how things work. The steps you need to follow may vary. But, in general, you need to:

Create a DNS host (A) record in your internal and external DNS servers that points to the IP address of your legacy Internet-facing Exchange server (for example, your Exchange 2007 Client Access server or Exchange 2003 front-end server) in internal DNS or the public IP address on your reverse proxy or firewall solution (external DNS). The host name should be in the format of legacy.domain.com (for example, legacy.contoso.com).
Create a publishing rule for the legacy host name in your reverse proxy or firewall solution to point to your legacy Internet-facing Exchange server. Refer to your proxy/firewall solution's user manual for instructions for how to do this.
Configure the existing DNS host (A) record in your internal and external DNS servers for your original host name (for example, mail.contoso.com) to point to your Exchange 2010 organization. For example, point to the IP address of your Client Access server or array (internal DNS) or the public IP address on your reverse proxy or firewall solution (external DNS).

So, for example, if your provider is GoDaddy.com, you can use the following steps to create a DNS host (A) record and associate it with your legacy Exchange infrastructure:
1. From your GoDaddy account management home page, click Domain Manager under the My Products heading in the left sidebar.
2. If you're prompted to log in to your account, log in.
3. In the Total DNS section of the Domain Manager information screen, click Total DNS Control.
4. In the A (Host) section of the Total DNS Control screen, click Add new A record.
5. Enter the host name, for example legacy.contoso.com and enter the IP address of your legacy Exchange server in the Points to IP address box.
6. Choose a TTL (time to live) value. If you're performing this step well in advance of your Exchange 2010 installation, you can choose 1 day or 1 week from the drop-down list. Otherwise, choose the default of 1 hour or 1/2 hour.
7. Click OK to complete your changes.

How to verify the legacy host name can be accessed from the Internet

From outside your firewall, using your specific domain name instead of contoso, perform the following steps:

Navigate to https://mail.contoso.com/owa, and verify that you can access Outlook Web App for a user whose mailbox is on an Exchange 2010 server.
Navigate to https://legacy.contoso.com/exchange, and verify that you can access Outlook Web App for a user whose mailbox is on a legacy Exchange server.
Navigate to https://mail.contoso.com/owa, and verify that you can access Outlook Web App for a user whose mailbox is on a legacy Exchange server.

You can also use the Exchange Server Remote Connectivity Analyzer to verify connectivity for the legacy namespace.

You'll find ExRCA at: https://www.testexchangeconnectivity.com.

Certificate Planning for Upgrade

To support coexistence of Exchange 2003 and Exchange 2010, you'll likely have to obtain a new commercial certificate. We recommend that you obtain a certificate that supports Subject Alternative Names. However, a wildcard certificate is also supported. For more information about certificates, see Understanding Digital Certificates and SSL.

Installing Exchange 2010

After you've ensured that the prerequisites are met and you've obtained the correct certificates, you can begin your upgrade. Do this using the following steps:

Note:
In the following steps, replace <CAS2010> with the name of your Exchange 2010 Client Access server.

Install the Exchange 2010 Client Access server role.
During Setup, you can enter the primary external namespace for your virtual directories. This value should be the primary host name that your users use to connect to Exchange services from the Internet, for example: mail.contoso.com.
- If you're upgrading through the graphical user interface Setup, you'll be prompted to configure a Client Access domain.
- If you're upgrading from a command prompt, use the setup property /ExternalCASServerDomain and specify your domain, for example: mail.contoso.com.
If your organization requires Outlook Anywhere access, enable Outlook Anywhere.
- This can be done using the following command: Enable-OutlookAnywhere -Server:<CAS2010> -ExternalHostName:mail.contoso.com -SSLOffloading $false
If you didn't configure a primary external namespace during setup, you'll have to run the following commands to configure the virtual directories for the Offline Address Book, Exchange Web Services, Exchange ActiveSync, Outlook Web App, and Exchange Control Panel. You can do that with the following commands:
1. Offline Address Book: Set-OABVirtualDirectory <CAS2010>\OAB* -ExternalURL https://mail.contoso.com/OAB
2. Web Services: Set-WebServicesVirtualDirectory <CAS2010>\EWS* -ExternalURL https://mail.contoso.com/ews/exchange.asmx
3. Exchange ActiveSync: Set-ActiveSyncVirtualDirectory -Identity <CAS2010>\Microsoft-Server-ActiveSync -ExternalURL https://mail.contoso.com
4. Outlook Web App:Set-OWAVirtualDirectory <CAS2010>\OWA* -ExternalURL https://mail.contoso.com/OWA
5. Exchange Control Panel: Set-ECPVirtualDirectory <CAS2010>\ECP* -ExternalURL https://mail.contoso.com/ECP
Configure your Outlook Web App settings to meet your organization's needs.
- You can obtain the Outlook Web Access settings from your Exchange 2007 server using the cmdlet Get-OWAVirtualDirectory.
- To configure the Outlook Web App settings in Exchange 2010, use the Set-OWAVirtualDirectory cmdlet.
Configure your Exchange ActiveSync authentication settings.
- You can obtain the Exchange ActiveSync settings from your Exchange 2007 server using the Get-ActiveSyncVirtualDirectory cmdlet.
- To configure the Exchange ActiveSync settings in Exchange 2010, use the Set-ActiveSyncVirtualDirectory cmdlet.
Install the Exchange 2010 Hub Transport server role and the Exchange 2010 Mailbox server role into the Internet-facing Active Directory site. For configuration steps for these server roles, see Upgrade from Exchange 2007 Transport and Upgrade from Exchange 2007 Mailbox.
Change the offline address book generation server and enable Web distribution on the Exchange 2010 Client Access server with the following steps:
1. Move the offline address book using the following command: Move-OfflineAddressBook “Default Offline Address List” –Server <MBX2010>
2. Add the Exchange 2010 Client Access server as a web distribution point using the following commands:
  
  $OABVDir=Get-OABVirtualDirectory –Server <CAS2010>
  
  $OAB=Get-OfflineAddressBook “Default Offline Address List”
  
  $OAB.VirtualDirectories += $OABVdir.DistinguishedName
  
  Set-OfflineAddressBook “Default Offline Address List” –VirtualDirectories $OAB.VirtualDirectories
Create a legacy host name in your external DNS infrastructure. You'll either need to associate this host name with your Exchange 2007 Client Access server or with your proxy infrastructure.

If you have Exchange 2003 mailboxes in your organization, enable Integrated Windows authentication on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 back-end server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back-end server to communicate using Kerberos authentication.

Install the hotfix located here, and then use Exchange System Manager to adjust the authentication settings of the Exchange ActiveSync virtual directory.

Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server. An example script is provided here.

Important:
Don't use IIS Manager to change the authentication setting on the ActiveSync virtual directory, because the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

Reconfigure your External DNS settings or the publishing rules for your reverse proxy infrastructure to have your original namespace of mail.contoso.com point to your Exchange 2010 Client Access server or Client Access server array.
Test all client connections and re-enable Internet protocol client usage.

Return to top