This post is an excerpt from the Exchange Server 2003 to 2010 Migration Guide.

We are approaching the stage of the migration project where the Exchange 2010 servers begin to perform production roles, such as message routing, remote access, and hosting mailboxes.

This period is referred to as the “co-existence” period.

For some organizations a co-existence period is not necessary, because they are small enough that 100% of the services and data on Exchange 2003 can be migrated across to Exchange 2010 within a single outage window.

For example a small business with just a few dozen, small mailboxes could perform the entire migration in a single weekend with no business hours impact.  Such organizations can skip the co-existence phase if they wish to, which reduces the amount of configuration work required.

However for the rest of us a co-existence period is required, which means there are some necessary configurations to put in place first before any production services or data are migrated to Exchange 2010.

Establishing the Legacy Namespace

The legacy namespace is the name that will be used by Exchange 2003 mailbox users to access Outlook Web Access after the remote access namespace is transitioned to the internet-facing Exchange 2010 Client Access server.

What this means is that Outlook Web Access/App connections are first made to the Client Access server.  Exchange 2010 mailbox users are proxied as normal to the appropriate Mailbox server.  However Exchange 2003 mailbox users are redirected to the legacy namespace instead.

Some people find the legacy namespace to be a confusing topic.  In effect the legacy namespace is simply another DNS name, published with ISA Server or another firewall, that legacy (Exchange 2003) mailbox users are redirected to for Outlook Web Access.

Exchange 2003 and 2010 co-existence

Creating the Legacy DNS Record

The legacy name can be anything you like however the name that is commonly chosen is simply “legacy”, or in this example scenario “”.

This legacy name should be included in your Exchange 2010 SSL certificate when it is provisioned.

Create a DNS record for the legacy name in your public DNS zone.  If you are using split DNS you should also create the record in your internal DNS zone.

The public IP address that the DNS record is created for can be the same as the public IP address of your primary remote access name (e.g. if you are using ISA Server 2006 to publish Exchange remote access.  ISA Server is capable of publishing the different names to different internal servers using the same web listener.

If you are using a different firewall or a simple NAT router then you may need to configure the legacy namespace on a separate public IP address.

Tip: If you are using split DNS take a look at how your existing OWA public name is configured in your internal DNS zone.  If it uses the public IP then do the same with your legacy name, however if it uses the internal IP then you should configure the legacy name to the internal IP as well for the internal DNS zone.

Configuring the OWA Virtual Directory for Legacy Redirection

The OWA Virtual Directory on the internet-facing Client Access server must be configured with the legacy URL to redirect users to.

Open the Exchange Management Shell and run the Set-OWAVirtualDirectory cmdlet with the following parameters:

  • -Identity is the name of the OWA Virtual Directory being modified
  • -Exchange2003URL is the legacy URL to redirect Exchange 2003 mailbox users to
Set-OwaVirtualDirectory -Identity "esp-ho-ex2010aowa (Default Web Site)" -Exchange2003Url

Assigning the SSL Certificate to Exchange Server 2003

The Exchange 2003 front end server needs to be configured with the new SAN certificate that was provisioned for Exchange 2010.  This is so that remote access connections to the legacy namespace can occur over SSL without any certificate errors or warnings.

To export the certificate from Exchange Server 2010 launch the Exchange Management Shell and run the following commands.

First determine the thumbprint of the SAN certificate that is installed.


Thumbprint                                Services   Subject
----------                                --------   -------
4DE8E0AC4ECB09623645842752FAA80C4160BF0B  ...WS., OU=IT Department, O=Exchange Ser...
F539B9045F765F9F0DFDE1EA9CB4BACAAE2C6C54  IP..S.     CN=esp-ho-ex2010a

In this example the thumbprint is “4DE8E0AC4ECB09623645842752FAA80C4160BF0B”.

Next export the certificate to a file by running the following command.  Note this is a single-line command.

$file = Export-ExchangeCertificate -Thumbprint 4DE8E0AC4ECB09623645842752FAA80C4160BF0B -BinaryEncoded:$true -Password (Get-Credential).password

A popup dialog appears for you to enter a password to protect the private key.  The username field is not important but requires something to be entered in it for the dialog to accept, so just enter “username” and then a strong password.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Next run the following command to generate the file.

Set-Content -Path "C:Adminex2010cert.pfx" -Value $file.FileData -Encoding Byte

Open Windows Explorer and look at the location you specified as the –Path parameter in the above command, and you will now see the exported certificate.

Copy the file to the Exchange Server 2003 front end server.

On the Exchange 2003 front end server launch mmc.exe and add the Certificates snap-in to the console, choosing the Computer account context.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Choose Local Computer and then click Finish, Close, and OK to return to the console.

Right-click Personal and choose All Tasks -> Import.  Step through the Certificate Import Wizard choosing the certificate file that was copied from the Exchange Server 2010 server.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Enter the password that you used when the certificate was exported from Exchange Server 2010.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Place the certificate in the Personal certificate store.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Complete the wizard and confirm that the import was successful.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

The imported certificate will now appear alongside the existing SSL certificate on the front end server, if you had one installed already.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

The certificate now needs to be added to the HTTPS binding for the IIS website on the Exchange 2003 front end server.

Launch IIS Manager from the Administrative Tools menu of the Exchange 2003 front end server.

Right-click the web site that hosts the Exchange 2003 virtual directories, and then choose Properties.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Select the Directory Security tab and click on Server Certificate.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Click Next to step through the welcome page.  Choose Replace the current certificate, and then click Next to continue.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Select the SSL certificate that was imported from the Exchange 2010 server and click Next to continue.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Confirm your selection and then click Next again, and then Finish.

Configuring OWA Co-Existence for Exchange 2003 and Exchange 2010

Click OK to apply the close the web site properties dialog box.

You should now test your Exchange 2003 remote access (e.g. Outlook Web Access) to verify that the new certificate is working correctly.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Francesco B.

    Hi Paul, I have read lot of articles written from you, TechNet, but I have some perplexities. I hope you will kindly clarify them for me.

    My simple environment:
    – 1 Exchange 2003 SP2 (150 mailboxes) on a Windows 2003 Domain Controller. Host FQDN name:
    – 1 Smart Host (Symantec Messaging Gateway formerly Brightmail).
    – A standard firewall (Fortigate) with NATs configured to permit connections from internet to internal resources based on port forwardings.
    – OWA, ActiveSync, RPC-over-HTTPS enabled for external users.
    – External namespace: All Exchange services point externally to this public A record.
    – MX record for also points to
    – Internally I have 2003, 2007 and 2010 Outlook clients. All of them have a mapi profile with “” specified in it as Exchange server.

    – I want to install in a coexistence scenario an Exchange 2010 SP3 (CAS, MB, HT) beside the Exchange 2003. The new Exchange 2010 host will be named


    #1 What does happen to my internal Oulook 2003 clients once installed Exchange 2010 and moved Exchange 2003 mailboxes on it? On TechNet i read that users do not have to change anything, that is a transparent process for them but I did not find an explaination on how it is possible for Outlook 2003 clients.

    #2 Instead, for 2007-2010 clients, I expect that connect seamlessy to Exchange 2003 or 2010 because of the autodiscovery service. To be more precise these clients already now setup themselves automatically to my Exchange 2003 on the first run. It is not for the autodiscovery capabilities I suppose, since currently there is no autodiscovery internal DNS records.

    #3 What does happen to my external Outlook 2003 clients accessing Exchange through RPC-over-HTTPS? Them too at begin have been set up with a mapi profile with specified in it

    #4 All Exchange web services currently are used only from internet. Records changes happen only on public DNS A records when I will be ready for the mail flow change, am I right? Internally, I have just to add the autodiscovery and legacy A records on my internal DNS. So:
    – will continue to point to the public IP to which all mobile devices currently point.
    – The same applies for
    – will point to a new public IP address, which will be forwarded by my firewall to
    – will be added as an A record to my internal DNS and will point to the IP of
    – will be added as an A record to my internal DNS .

    #5 As per your post “Exchange 2010 FAQ: Common Concerns When Installing the First Exchange 2010 Server” inbound/outbound mail flow will begin to change behavior only after public dns and smart host configuration changes. When I will be ready for the switch:
    – On my smart host I will change the internal mail host to which forward and from which receive emails to the IP of Exchange 2010.
    – On my firewall I will change NAT port forwardings so that OWA, activesync and RPC-over-HTTPs requests will be redirected to the IP of Exchange 2010.
    – If something goes wrong with mail flow or OWA services it is just a matter of rolling back to the previous configuration the above two steps.

    #6 Does the fact that my current Exchange 2003 is on a Windows server 2003 that is also a domain controller change something in my Exchange 2010 deploy plan?

    Pual, thank you very much for reading and eventually replying. šŸ™‚
    Francesco B.

    1. Francesco B.

      I have to rectify some foolishness that, by reading again my post, I think I am aware of (there will be surely other nonsenses of which I am not aware for sure, sorry). Moreover I minded that I have some other question.

      #2 It is not so much because of the absence of an autodiscovery DNS A record that autodiscover does not work with Exchange 2003, but because Exchange 2003 itself has not implemented the autodiscover service. Outlook 2007-2010 setup automatically profiles because of the builtin autoconfigure feature. And it works with Exchange 2003.

      #4 legacy internal DNS A record is not useful unless I want my Exchange 2003 users to use owa, activesync, Outlook anywhere, inside my lan.


      #7 Is it possible during the migration, setup the Split DNS for my Exchange environment? In theory it is just a matter of creating a new forward zone “” and create in it A records: legacy, autodiscover, mail that point, the first one to the IP of Exchange 2003, the last two to Exchange 2010. Isn’t it? So my users will be able to use seamlessly their mobile devices inside and outside my company.

      Thank you again Paul
      Francesco B.

  2. Mike

    Paul, you describe in your migration guide only the removal of the 2003 RUS. Should this not be moved to 2003? Can I also do that before moving mailboxes to 2010?

    1. Mike

      I ment moved to 2010!

      1. Avatar photo
        Paul Cunningham

        There’s no RUS in Exchange 2010. The RUS isn’t removed until after the migrations are completed.

        1. Mike

          Ok thanks thats what I thought. I have just seen several articles where they clicked on both RUS properties in the Exchange 2003 System Manager to add the 2010 Exchange. That was confusing.

  3. Majid Khan

    Hello Paul,

    Thank you so much for the wonderful post. I have one question. I have successfully migrated all mailboxes from 2003 to 2010 in coexistence environment. There is one routing group connector created fro communication b/w 2003 and 2010. ASA is configured successfully to allow both 2010 traffic as well as 2003. All MX records seems to be correct. Now when I shutdown the Exch 2003 Server all External emails stops arriving to Exchange 2010 mailboxes. After starting 2003 server emails starts arriving. Kindly let me know where the issue is?
    1. Is there something wrong in my MX record? As external incoming emails are related to MX.
    2. Is this because of the Routing group connector created ? Do I need to delete it first?
    3. Since all the mailboxes are moved, successfully redirected to 2010, why all emails are still routed to 2003?
    I will be anxiously waiting for your response

  4. Carlos

    Hello Paul, a question about the Active Sync and OWA. I inherited a split DNS with 1 Exchange 2003 with NAT on a Cisco Firewall running as a BE/FE system. The FQDN inside is the same as it is publicly but with different addresses obviously one for internal and one for external. We want to start with a different FQDN for the new mail system inside and out (1 single Exchange 2010 behind the Cisco Firewall with NAT). I take it during the migration process I will have two links for each Active Sync and OWA? I will need to point the users that are still on the Exchange 2003 to for OWA and Active Sync is that correct? The new users that are going to be on the for the OWA and AS services with a new network addresses correct?

    In advance thank you for your time.


  5. athenkosi

    Where to find a out where a clients archives are located in Outlook 2003-2010?

  6. Isaias Costa

    Hello Paul,

    Your article is really helpful and easy to understand. I have a doubt and would appreciate your help.

    We have one SSL standart cert in our Exc 2003 SP2 and we are planning to migrate to the Ex2010 soon. This certificate will expire in September and we want to issue a UCC SAN cert to be used in the EXC2003 and later we will use this cert in the new EXC2010 server (will be implemented in October/November).
    I’m not sure if this will work, so its better to make sure before request this certificate.

    Thank you!!!

  7. Blazingblu

    Hi Paul,

    Does it matter if the same certificate is not used on the Exchange 2010 and Exchange 2003 server? I have a cert using the SHA-2 hash algorithm which is installed on my Exchange 2010 server and have had issues getting the SHA-2 cert’s to work on the Exchange 2003 server, so have a SHA-1 cert installed currently on the Exchange 2003 server. The SHA-1 cert on the 2003 server is a UC cert so I could add the additional names if need be. Does it just need the name on there or what additional names does it need too and will this configuration work?

    1. Avatar photo
      Paul Cunningham

      They can be different certs if that is all you can get. The Exchange 2003 server cert needs to have any names that it will be accessed via HTTPS. I usually included both the primary and legacy namespaces so that I could put the cert on in advance of the cutover of the primary namespace to Ex2010.

  8. Frank D'Amore

    Paul, We are performing a cross forest mail migration(from to Going from Exchange 2003 in the old forest to Exchange 2010 in the new forest. A trust exists between the old and new forest. We are migrating user accounts first. Is it possible for the users who are migrated to the new forest( to access their old mailbox via OWA(the old url) in the old forest(

  9. Yvonne

    It’s an remarkable article in favor of all the online viewers; they will obtain benefit from it I am sure.

  10. Joseph

    Hello Paul,

    So I have a 2003 environment working currently with a Godaddy cert. I have a cert for my 2010, but it is a self-signed cert for only that server from the previous engineer. I purchased a Godaddy cert and attempted to add the namespaces in, but it says that the common name is already present in the current certificate, which I assume means my current 2003 certificate using the email namespace. Why will it not simply let me get the certificate made to replace it? What should I do?

  11. Jenn

    Hi Paul,
    We purchased your guide and it has been very helpful. There is one thing I’m confused about though. We are currently using the same namespace for everything (outlook clients, OWA, activesync) on the exchange 2003 system. We use the same name internally and externally, the name is
    Is that the same case in this guide? I was wondering if outlook clients were using the name to connect. That’s the piece I’m not too clear on.

    1. Avatar photo
      Paul Cunningham

      In the guide the same namespace is used for OWA, Outlook Anywhere, and ActiveSync.

      A different namespace is used for the Exchange 2010 CAS Array (which is best practice).

  12. Mike

    This is a great article – thanks for that.
    But I have just a short question.
    Is it possible to install the extra Exchange 2003 when I have already one Exchange 2003 on the cluster and Exchange 2010 SP2 Rollup6 installed and most of the accounts are migrated and public folders has been moved totally?

    1. Avatar photo
      Paul Cunningham

      I don’t understand your scenario. Could you explain it in a bit more detail?

      1. Mike

        Currently we use an Exchange 2003 cluster and need to shut down old EVA storage. I need to migrate the service accounts which needs to be on the old Exchange 2003 to the standalone server.
        Because I am affraid to convert Exchange 2003 to a single node cluster, I thought about creating a second Exchange 2003 instance on a virtual machine and migrate the mailboxes and CDO scripts to this server and shutdown the cluster.
        this is why I am asking if this is possible to install second Exchange 2003 in the mixed 2003/2010 environment.

        1. Avatar photo
          Paul Cunningham

          I see. Yes its possible to install another Exchange 2003 server while you still have at least one other one already in the org.

  13. matthew g.

    Hi Paul, yet another great walk-through! Thank you so much for taking the time to create these. Just to cover another scenario, I did not have an SSL cert installed on my 2003 server and that changed the way things go at the end. Instead of selecting “Replace the current certificate” *(I didn’t even have that option) I had to select “Assign an existing certificate” I then had to confirm port 443 as the SSL port I wanted to use. I then got the “Certificate Summary” window which looked exactly like your last snapshot of the “Replace Certificate” window. Thanks again for the articles!

  14. Sven

    Paul, I have the following scenario broken and it seems a tough nut to crack. The coexistence between Exchange 2003+2007 and 2010 (which was working well) was broken after updating the Exchange 2010 to SP2.
    I got 90% of all functions back by changing the authentication for virtual directories on the 2010er. Active-Sync works with our mobile clients connecting to the EX2K3, where the users mailboxes reside, and Active-Sync resides. But http(s)-rpc is broken from outside. In the LAN everything is fine.
    I have been using google a lot but it looks like I am asking the wrong questions.
    Any ideas?

  15. Oliver

    Hi Paul, just got your guide and am hoping to use it in the next month.

    Question: I know the guide was written a while ago but is there any reason not to install with SP3 now instead of SP2?


      1. Oliver

        Thanks for the tip! I will check for more of those bugs before going live.

  16. kylelee

    Hi Paul,

    your statement about resolving the SSL cert warning:

    Issuing a new SSL certificate from a trusted, private Certificate Authority on your network (not ideal, but resolves the issue for computers that are domain members)

    I have an issued computer cert from the internal CA in the domain. Will this take care of the warnings that people will see pop up?


      1. kylelee

        Excellent. So this should allow me to install Exchange 2010 and introduce the server in to the environment without end users being prompted with the SSL error (technically)?…. because I definitely want to take your advice with installing it ahead of time before the cutover day and agree it is a little risky to leave it all for one day.

        1. Avatar photo
          Paul Cunningham

          I’ve used all these techniques with success in the past.

          1) Doing the first install after hours and acquiring the cert quickly from Digicert
          2) Using an internal CA to issue a temporary cert
          3) Installing just mgmt tools and acquiring the cert before installing the CAS role

          Best of luck!

        2. kylelee

          One more quick question :-)….

          #3) Is this just installing hub transport and Mailbox roles with mgmt tools?

          I will let you know how everything goes.


          1. Avatar photo
            Paul Cunningham

            You can install the management tools on their own without any server roles.

        3. kylelee


          I just wanted send you a quick note to let you know that the upgrade/migration went very smoothly thanks to your document and your support with all of my questions! šŸ™‚ I’ll leave the 2003 server on for another week or so before taking it fully out of the picture. I may have to hit you up with some questions with the decommissioning, but I’ll get in touch at that point.

          Thanks again!


  17. kylelee

    Hi Paul,

    I have purchased your 2003 to 2010 migration guide and I’m planning to do a 1 day cutover. So I have a couple of questions which I hope you can help me understand:

    1) Since I’m planning a 1 day weekend cutover (small environment of 130 mailboxes), is it necessary to do these steps for co-existence?
    2) Can I go ahead and install Exchange 2010 ahead of time and wait to do all of the cutover changes on the cutover day? or is it better to do the Exchange install on the day?
    3) What steps from your guide can I omit since it is a 1 day install, and move mailboxes? or do I still follow the exact same steps as outlined.
    4) I can export the SSL cert from Exchange 2003 and import it to be used on the Exchange 2010 server and maintain the same URL for OWA/AS/RPC-HTTPS?

    I appreciate your help on this. Thanks.


    1. Avatar photo
      Paul Cunningham

      1) If you’re planning a big cutover like that then you can skip the co-existence configurations.

      2) I would install it ahead of time, so that you aren’t rushing and have time to fully test it and configure backups/monitoring etc for your environment.

      3) Basically the entire co-existence chapter.

      4) The Exchange 2003 cert won’t have the correct names on it, even if you’re planning to use the same external name for OWA etc (it will be missing the Exchange 2010 server FQDN and the autodiscover name, for example). I recommend you provision a new SAN SSL cert for Exchange 2010.

      1. kylelee

        Hi Paul,

        So a couple more questions to clarify:

        #2) So once 2010 is installed, it will not affect the sending/receiving of Exchange 2003 until the send and receive connectors are configured etc… In other words, it will remain out of the picture until I’m ready to start the cutover?

        #4) When you suggest provisioning a new SAN SSL, can I safely assume that the certificate vendor should be able to re-issue a new SSL to use with the new Exchange server?

        Another question I forgot to ask:

        5) Is there anything special with the 2003 public folders? The client has requested to retain these for now, and move them to Sharepoint at a later time. Essentially, once the routing group connector between 2003 and 2010 is established, the public folders get replicated? Anything else that I need to look out for other than what you’ve outlined in your doc?

        Thanks again.

        1. Avatar photo
          Paul Cunningham

          2) Yes. The guide covers that and I’ll also refer you to this:

          4) Yes they should be able to, but that is a question for your vendor obviously. I’ve had no problems getting the certs I needed from Digicert.

          5) Public folders aren’t an enjoyable migration experience for me but the guide does cover the steps to get them across to the 2010 server (no it doesn’t happen automatically when the routing group connector is established). Frankly its a bit of a pain and there’s often a small number of replicas that won’t cleanly move and sometimes need to be forcibly removed.

        2. kylelee

          Hi Paul,

          Thanks for your responses.

          As you recommended to install Exchange ahead of time, I will likely run in to the SSL autodiscover pop up for the end users correct? I suppose if I don’t want this headache, I would need to sort out the SSL SAN cert with my cert vendor so its ready for installing on the new Exchange installation? It’s probably best then to wait for the cutover day to do everything in one shot.

        3. Avatar photo
          Paul Cunningham

          You can get around the autodiscover issue by installing all the pre-reqs for your CAS, then just installing the management tools and using those to generate the certificate request. When you have the certificate from your provider (which can take minutes if you do it right) you can then install the server roles and enable the cert immediately afterwards.

          Doing everything in one day is pretty risky if you ask me, but that is your call to make as I don’t know your environment and how complex your migration is going to be.

  18. sftc

    I purchased your book (which contains this article), and I just wanted to clarify something regarding the public IP that should be matched to the FQDN of the legacy Exchange server. My question revolves around this statement:

    “The public IP address that the DNS record is created for can be the same as the public IP address of your primary remote access name…”

    We use an external public IP service. Should the DNS A record that I create for contain the same public IP address used by the main internet-facing Exchange 2010 CAS server?

    1. Avatar photo
      Paul Cunningham

      You should read that sentence in its entirety. It can be the same IP address is you’re using a reverse proxy like ISA/TMG that can proxy the requests to different internal hosts based on the DNS name being requested.

      Otherwise you’ll need two different public IP addresses.

  19. Joseph Stanczak

    Paul, love all of your articles – very informative and concise. We are in the midst of deploying Exchange 2010 alongside our current 2003 environment, I need some clarification on namespace, and in particular in relation to Outlook Anywhere. Your articles have helped, just want to make sure we perform due diligence on this.

    We have a forest root domain, and a “production” domain, in which all users and Exchange exist. let’s call the root “” and the production domain “”. Our external domain name is “”. We have four AD sites, Site1, Site2, Site3, and Site4. We do host a zone for the “” on our AD integrated DNS for internal use, as well as externally hosts DNS for the external URLS (aka,

    The plan is to have a CAS Array created at the two larger sites, Site1 and Site2, using NLB for load balancing until we can budget for hardware LB (Kemp?), which are external facing to the Internet. Site3 and Site4 will also have a CAS Array setup, however only a single host per array, and they are NOT external facing to the Internet. Each site has their own database server and the hub transport role is combined with the CAS server. Our SAN currently has,,, (Site1), and (Site2).

    Two questions:
    1. Best way to configure the Outlook clients. Should the mailbox databases be associated with the internal names of the array (,, etc), thus the Outlook clients will be “homed” to each of the site arrays?

    2. In regards to OA, should the client be set to the external names ( and, and then redirected to that Site3/4 users array in their respective site? Or should each site have an externally facing connection to facilitate OA?

    I hope that is clear!


  20. Tony Blunt

    Hi Paul,

    Yes, both the 2003 and 2010 have the UC certificate I obtained for the project installed, with all the required SANs configured, and the cert is trusted by all servers in question (Starfield Tech cert).

    The requests coming from the 2010 box to the 2003 box are coming in on port 80, so it’s like the 2010 server isn’t trying to use SSL. Furthermore, if I deselect ‘Require Secure Channel (SSL)’ in the properties of the Microsoft-Server-ActiveSync virtual directory in IIS on the 2003 box, then it all works!

    1. Tony Blunt

      Obviously though, I’d rather not disable SSL, even if only for the co-existence period if I can help it…

      1. Tony Blunt

        Paul, sir, you are a star! Reading that link makes sense. I’ll just disable the SSL requirement on the 2003 box. I was starting to think I’d just have to go with this, since it’s only really disabling SSL for that last leg of the journey, but it’s always good to get confirmation from an expert.

        Thanks for the prompt replies today, and thanks for the walkthrough, which has proved extremely helpful.

        If I get stuck with anything remaining in the migration then I’ll be sure to give you a shout.

        Thanks again!

  21. Tony Blunt

    Hi Paul,

    I have bought your walkthrough and found it amazingly helpful, thank you. I am however having trouble getting co-existence to work between my single Exch2003 box (there was no front end server, just the one box), and a standalone Exch2010 box. I’ve set up the legacy namespace etc and I’m also using TMG for the publishing rules. I’ve created the new 2010 publishing rule and the legacy namespace rule.

    When I switch over to the 2010 publishing rule however, my 2003 mailboxes lose Outlook Anywhere (RPC over HTTP) and Activesync access. OWA redirection is fine though. My 2010 mailboxes are fine – autodiscover works, activesync, OWA and Outlook anywhere work a treat.

    I notice your walkthrough did involve a 2003 front/back end architecture – am I supposed to be doing something different for my scenario? It seems that the CAS is just not proxying back to my 2003 box for those mailboxes. I’m a single domain/single internet facing site.

    Any pointers would be most appreciated!

    1. Tony Blunt

      Just to add a bit more info to my issue, when I run an Activsync test using ExRCA for a 2003 mailbox, it fails at the ‘An ActiveSync session is being attempted with the server.’ step. Basically I’m getting:

      403 – Forbidden: Access is denied
      You do not have permission to view this directory or page using the credentials that you supplied.

      ExRCA says this is from IIS7 so I can only assume it’s the Exchange 2010 box denying access?

      Please help!

      1. Tony Blunt

        Since I’m getting no love from this forum I thought I’d just post a fix for one of two of my issues:

        I got Outlook Anywhere working by going to ESM on the 2003 server, properties of the server, RPC-HTTP tab, and selecting ‘RPC-HTTP back end server’. ESM will throw an error message saying that there is no front -end server, but ignore that.

        After a while (wait up to 15 minutes), the RpcHttpConfigurator service on the 2010 box will write the appropriate entries to…


        …on the 2010 server, allowing the 2010 to now proxy RPC traffic to the 2003 server. Hope this maybe helps someone, as this was not clear in the ESP walkthrough, or any other document I found! Admittedly, it’s rather obvious now I think about it!

        I’m still getting 403 – Forbidden issues with ActiveSync though, so if anyone has any suggestions, please feel free to chip in!

      2. Avatar photo
        Paul Cunningham

        For the ActiveSync issue, have you done the steps starting on pg135 of the guide for the Exchange 2003 ActiveSync permissions?

        1. Tony Blunt

          Hi Paul,

          Thanks for getting back to me.

          Yes, I have installed the hotfix and ensured that the Microsoft-Server-ActiveSync virtual directory is set to accept integrated auth. I’ve also given the server a full reboot just for good measure.

          I’ve been looking at the IIS logs on both the 2010 server and 2003 server, and it seems the requests from the 2010 server are being logged on the 2003 box (at least I can see requests coming from the 2010 server’s IP), so it is proxying the traffic. However I am seeing a lot of 403.4 status codes on the 2003 server logs, which to my knowledge means that the 2010 box is not using SSL?

          Any ideas? I’m starting to get board members breathing down my neck on this!

          Thanks in advance.

        2. Avatar photo
          Paul Cunningham

          Does the 2003 server have an SSL certificate installed that the Exchange server would trust?

  22. Rob

    Iā€™m doing a EX2003 to EX2010 migration. I have a question on the Certs. From my understanding, my 2003 server ONLY needs a Cert with the legacy namespace. My 2010 server needs a SAN Cert with my webmail namespace and the autodiscover namespace. Everything I see says it should also have the legacy namespace, but is that a requirement for the 2010 server? Is it only in there so we only need one SAN Cert for both servers? I have a single name cert with legacy and would like to just use that for the 2003 server, but need to get confirmation that legacy is not needed on the 2010 server.

    1. Avatar photo
      Paul Cunningham

      You have have the legacy name just in the separate cert if you want. But later when you decom the 2003 server, it is a possibility that an external client or device will try to connect to the legacy name still, and so if that name is also on the 2010 cert you will avoid issues with that situation.

  23. corby

    Great information. I’m hoping you are still responding to these posts.

    I have gone through great lengths to set up a copy of our production environment in a lab setting. I mention this, because I don’t really want to purchase any certs for the lab setting.

    I have the 2010 CAS redirecting to the 2003 FE server. The browser is redirected fine, however the credentials don’t seem to get passed and the user is required to enter the credentials a 2nd time when arriving at the 2003 FE server.

    I have searched all over looking for an answer to this problem. The only possible problem that I think might be causing the need for a 2nd login is not having the certs installed. Would not having the certs cause the user to re-enter their credentials again? When the user re-enters their credentials the 2003 FE works fine, so I’m pretty sure that I have everything else configured properly.


    1. Michael

      I believe you have to enable forms-based authentication on your Exchange 2003 front-end server to allow users to access their mailboxes through single-sign during coexistence.

  24. fkk031c

    Best article out there… I was stuck on how to implement the legacy namespace with an additional IP on my Sonicwall until I read this article.

    1 to 1 NAT for the legacy namespace was my solution.

  25. dror

    hi what about with mobile phone and outlook any where? with mail box on server2003

    can work with co coexistence 2003-2010

  26. chris

    We are in a lengthy 2003-2010 migration which will take several months due to huge volumes o mailboxes, & therefore need 2003 and 2010 mailboxes to coexist. have you come across the situation whereby resource mailboxes (e.g. meeting rooms) can be shared across both 2003 and 2010 users? we are finidng that meeting room bookings do not work both ways e.g. if the resource mbx is ngrated to 2010, it doesn’t work for 2003 users while if left in 2003, can’t be used by 2010 users.

    1. Avatar photo
      Paul Cunningham

      What do you mean exactly by “doesn’t work” and “can’t be used”. How are each of the types of mailbox users trying to access the resource mailboxes to make bookings?

  27. Brad Kulick

    Hi Paul,

    Just a quick question about the SSL certificates. Is it possible to use a standard SSL certificate on the Exchange 2003 server (as we have now), or do I need to have the SAN/UCC certificate include the name and then export it? The reason being is that I can have the standard SSL certificate re-issued for free, and our current SAN/UCC certificate would require an additional fee to add another subject alt. name.

    Thanks for your time!


    1. Avatar photo
      Paul Cunningham

      You should be able go either way with the 2003 server – a single-name cert with just the legacy name, or a SAN cert with multiple names.

      Depends on the environment of course, but every case I’ve worked on it has been fine to do it that way.

  28. Xavi

    We are in the process of migrating from Exchange 2003 to Exchange 2010.
    We have received the certificates from GoDaddy. We have purchase UCC to manage the different names.
    We are now dealing with the co-existence of Exchange 2003 Front End and Exchange 2010 WebApp.
    We have imported the certifictes into to the Exchange 2010 servers and assigned the services.
    Since we are going to be implementing legacy and coexist with Exchange 2003 FE we have exported the certificate from Exchange 2010 and imported into the Exchange 2003 OWA as described in your article.

    The problem that I have is that once the Exchange 2010 UCC exported certificate is imported into Exchanghe 2003 OWA the computers are getting a certificate error when they try to access the OWA server. Once I change the certificate back to the old certificate everything works fine.

    I have done the process from scratch a couple of times but I am getting the same problem.

    I ran of options and I am not sure what is wrong here.

    Any advise?

    Thank you.

    1. Avatar photo
      Paul Cunningham

      Depends on the certificate error you’re getting.

      If its a name mismatch error, the certificate should include both the webmail name (eg that you are planning to migrate from 2003 -> 2010, as well as the legacy name (eg that the 2003 server will be configured as once the name is cut over to the 2010 server.

      If its one of the other errors (eg trusted root cert authority) that is a separate issue of course.

      1. Xavi

        Hi Paul,
        Thanks for you feedback. The Intermediate certificate didn’t get installed correctly. I have noticed that neither your guide or the article above have the intermediate certificate step. At least with GoDaddy the new certificate for Exchange 2003 will not work unless the intermediate certificate has been imported there as well.

        1. Nino Iaccarino

          I also receive an error when I have the SAN Cert installed on my 2003 box. Did you ever get this resolved?

        2. Avatar photo
          Paul Cunningham

          Hi Nino, looks like in Xavi’s case there were additional intermediate certs required to be installed. That is something that will vary from each certificate authority so you should check with the CA that you used to purchase your cert from (they hopefully have some support info published about it, or contact their customer service).

        3. Nino Iaccarino

          Hi Paul, Yeah that is what I figured, but it is weird. I am pretty sure I have the intermediate certs installed correctly, as it works fine on the 2010 Box. I did setup a test website on my exchange 2003 box just to see if I get the same error and I do, so it is definitely something strange with the certs.. :/ but works fine on 2010 :/

        4. Avatar photo
          Paul Cunningham

          Restart required perhaps? I recall when installing intermediate certs on ISA server it needs a full restart of Windows, not just the Firewall services for example.

        5. Nino Iaccarino

          Ohhh yeah, didn’t want to have to do that really, but I will give it a shot and pencil it in for this evening. I will report back if it resolves my problem, and hopefully get a response from GoDaddy shortly too.


        6. Nino Iaccarino

          Hi there, Just reporting back. I performed a reboot of our 2003 Exchange Server which I installed the SAN certificate onto and this resolved the problem immediately. Rather annoying but I am glad that it is all working now. Thank you for your help!

  29. Suresh

    Thanks Paul!

  30. Suresh

    Hi Paul,

    We bought the migration guide and it really helped us in preparing for the Exchange 2003-2010 migration. Thanks for the brilliant guide. I ‘m getting confused with our current setup.
    Our current Exchange 2003 OWA name space is The public ip is natted to the interal ip address of the Exchange 2003 front end server. Internal users also use the same name space. The exchange 2003 front end server host name is also mailweb in the active directory domain “”.
    We would like our users to use the same name space for the exchange 2010 OWA, ActiveSync,and Outlook Anywhere during and after the migration.
    How can I accomplish this task?


    1. Avatar photo
      Paul Cunningham

      The Ex2003 FE server is actually named “mailweb”? Thats going to cause some problems.

      For external OWA users you’d probably be able to do some tricks with ISA/TMG to handle it, but internally that won’t help.

      I think what you should do is deploy a new Ex2003 FE of a different name so that “mailweb” can become just a DNS alias, then you will be able to migrate that DNS alias over to Exchange 2010 and do the co-existence phase properly.

  31. Rob Clarke

    Hi Paul,
    Great article that helps to clear up a lot of questions I had.
    But I’m still a little confused with OWA access. I would really appreciate it if you are able to help clear it up in mind.
    Do I move the existing certificate ‘’ from E2K3 to the E2K10 server, and create a new ‘’ certificate and apply that to E2K3 server?
    Then change firewall access on exisitng ‘’ public dns record/IP to E2K10.
    As I am not using ISA server, but a Watchguard firewall. Should I then create a public dns record on a different public IP for the ‘’ certificate and E2K3 server?

    Then for OWA access no matter what server the mailbox resides, do users continue to access the ‘’ URL?
    With that configuration, does the incoming request for ‘’ come into E2K10, then if intended for E2K3 goes back out to the WAN and back in again to E2K3?

    I hope I have made myself clear. Quite difficult when I am not clear in my own mind….

    1. Avatar photo
      Paul Cunningham

      That sounds correct yes.

      With ISA you can get away with a single IP, but I assume many other firewalls will need the primary and legacy namespaces to be on separate IP’s. Depends on the firewall’s capabilities I guess.

      But yes, you’re pretty much spot on there. Its a tough concept to grasp sometimes until you see it in action the first time. If you can arrange an out of hours window to test it, and be ready to roll back if you get into uncomfortable territory, then you may find it all just goes well šŸ™‚

      1. Rob Clarke

        WOW! Thank you for the fast response!!
        I seem to have had a EUREKA moment!
        I will look into the firewalls capabilities for hosting the two namespaces, and configure in the most appropriate way.
        But at least now I understand the concept.
        Thank you!

  32. SJH

    Hi Paul,

    Great article – much easier to follow than the MS KBs.
    As I’m new to the issue of SAN certificates etc (most of my clients were able to forgo the co-existence) in this case the client has a certificate for the existing Exchange 2003 that will be immediately revoked by the CA once we request the new cert from the Exchange 2010 box. We need to avoid an outage for Active Sync in particular.
    Also is it possible to obtain the “legacy” cert from an alternate CA?
    Do we need the “autodiscover” URL added to the New (Exchange 2010) cert as currently we have encryption off as users are on OL 2003 but will be migrating to OL 2010 soon.

    1. Avatar photo
      Paul Cunningham

      Why will the other cert be immediately revoked when you request the new one?

      1. SJH

        My client informs me that this is the case with Thawte – he manages the certificate registration

  33. KD

    Hi Paul,

    Thanks for the answer!!

    One more question. IF I move OfflineAddressBook from 2003 to 2010, users who has mailbox on exchange 2003, will be able to get address book sync with there outlook 2007? I want to keep exchange 2003 running and keep couple of mailboxes.

    1. Avatar photo
      Paul Cunningham

      Make sure the OAB is still configured for Public Folder distribution, and the Outlook 2007 clients will continue to download it from the 2003 server’s PF database.

      1. VirtualizeThis

        Hi Paul- I wonder if you could comment on the following issue and related questions below? I am posting it here because I saw your comment re Outlook 2007 being able to download OAB via Public folders- I thought this version had to use autodiscover/OAB virtual directory?

        Re OAB/autodiscover in an Exchange 2003-2010 scenario: users are experiencing issues downloading OAB/having out of date GAL entires as a result (occuring for Outlook 2010 users- not sure about Outlook 2003 users yet).
        I have walked half way into a migration for a particular CAS/site within an Exchange Organisation- the mailboxes still reside on Exch2k3. The OAB generation server has been moved to the Exch2k10 CAS server.

        Presumably Outlook 2003 clients will continue to download/use OAB from public folders? Do they connect to the Exch2k10 CAS server for this? I enabled PF distribution on the Exch2k10 CAS server and enabled OAB replication from Exch2k3 to Exch2k10 CAS server.

        Can Outlook 2010 clients download the OAB via PF? Or is autodiscover/OAB a requirement? Autodiscover has not been fully configured is not functioning correctly for this site, which needs to be fixed, but if Outlook 2010 can download OAB via PF this would be an interim fix for this urgent end users issue.

        Are there any dangers of configuring autodiscover in coexitence? I read an article about Outlook 2010 client s with mailboxes residing on Exch2k3 being pointed to empty/non migrated Exch2k10 mailboxes suddenly one Monday morning- is this scenario possible?

        Would appreciate your advise!

        1. Avatar photo
          Paul Cunningham

          Outlook 2003 requires PF for OAB. Outlook 2010 can use either PF or web distribution.

          Exchange 2003 mailbox users, regardless of which Outlook version, connect to Exchange 2003 for RPC/MAPI (ie mailbox and PF access).

          Exchange 2003 mailbox users with Outlook 2010 will also connect to web services such as Autodiscover. This may cause SSL warnings to popup if the SSL certs on the Exchange 2010 server have not been configured correctly.

          More info:

          In a co-existence scenario I would have OAB configured for both web and PF distribution.

        2. VirtualizeThis

          Thanks very much for the valuable advise Paul. Appreciate it and the prompt response. I’ll be taking a look at your Windows 2003-2010 upgade book and no doubt buying it this afternoon.

  34. Shingo


    Great article! I’m in the planning stages of performing an Exchange 2003 to 2010 transition and was a little confused with the namespace configuration. Your article has clarified most of my concerns; however, I have a question regarding changing to the legacy namespace on Exchange 2003 FE. Do you or anyone have instructions on how to change the namespace on the Exchange 2003 FE? We use OWA as well as ActiveSync so we need the legacy namespace changed for both. I was going to buy your “Exchange 2003 to Exchange 2010 Migration” ebook, but I was hesitant because the book states “migration.” I was looking for a book on “transition.” So if the migration book is the correct one, will I also find how to change the legacy namespace for Exchange 2003 FE in the book?



    1. Avatar photo
      Paul Cunningham

      Hi Shingo, the legacy namespace/URL only applies to OWA, because OWA traffic is *redirected* by the Exchange 2010 internet-facing CAS to the 2003 FE, whereas ActiveSync traffic is *proxied* by the Exchange 2010 CAS to the 2003 FE.

      Yes, the guide explains how to configure both services for co-existence.

      “Migration” and “transition” refer to the same thing. In the Exchange 2007 era “transition” was more popular because it made clear that there was no in-place upgrade from previous Exchange versions. These days that seems to be well understood by everyone and the words “transition”, “migration” and “upgrade” seem to be used depending on who you’re talking to but all meaning the same thing.

      1. Shingo

        Thanks! I’ll be buying the ebook either this week or next, but I’m definitely gonna get a copy. Appreciate your quick response.

  35. rasheedah

    Hi Paul,

    If you have a casarray should the identity be pointing to the array external url? Thanks

  36. kd

    Hello Paul,

    I am in between of migration from exchange 2003 to exchange 2010. I am little confused with SSL migration.
    Can I use same SSL common name, which is currently assign to exchange 2003, for new exchange 2010 SSL certificate creation? I am not sure will godaddy will allow to create two ssl certificate, with the same common name? I heard Active-sync to iphone and other devise stopped working after certificate is import to exchange 2003.
    Has anyone had this issues?

    1. Avatar photo
      Paul Cunningham

      Yes you can use the same name in your Exchange 2010 cert. If Godaddy won’t let you do that then find a better SSL provider.

      I’ve never experienced a problem with ActiveSync after importing the certificate to the 2003 server.

    2. Jason Hunter

      I encountered this issue and it was fixed by making sure the user acct in AD was not a Domain Admin and therefore had inheritable permissions on their AD acct.

  37. Santos

    Dear Paul,

    I have case in my office, we use exchange server 2003 with outlook, every saturday & sunday we cannot send / receive email, what’s problem? is there something wrong with exchange configuration? any ideas to solve it?

    1. Avatar photo
      Paul Cunningham

      The first thing I’d look at is what happens on Saturdays/Sundays? Is that when your backups run? Is that overloading the server? Does your office network drop out on those days? Is the cleaner unplugging your network switch to plug in their vacuum cleaner?

      Could be anything. You need to work out what other things are consistently happening on those days.

  38. martin stovold


    Great migration document, has really asssited me with the transition!

    When exporting the cert back to 2003 I followed the instructions but could not locate the certificate to import, the only certificates it showed me were my current and old certs for OWA, any ideas?


    1. Avatar photo
      Paul Cunningham

      You mean when you’re browsing to find the file to import? Check that it’s showing “all files” and not just one specific file extension.

Leave a Reply