The Exchange 2016 migration for Not Real University is getting to the stage where they can start cutting over client access and transport services to the Exchange 2016 Mailbox server. This stage is referred to as coexistence. Before any services are cut over, there’s some preparation tasks to perform.
Health Check
First, it’s advisable to perform a general health check of the existing production environment. The reason for performing a health check now is to determine if there are any existing problems that you might not already be aware of. If you start a migration, then notice the problems, troubleshooting is more complicated because you will be unsure whether the problem has been caused by the migration or not.
To perform a health check you can:
- Run the Test-ExchangeServerHealth.ps1 script.
- Use the Remote Connectivity Analyzer to test external access such as Outlook Anywhere and ActiveSync.
- Verify that backups for the existing and new Exchange servers are running successfully.
- Review your server event logs for any unusual errors.
- Perform Outlook tests on the network including creating a new Outlook profile, scheduling a meeting and viewing free/busy information for attendees, accessing public folders, and sending/receiving internal and external email.
Outlook Anywhere
When the client access namespaces are cut over to the Exchange 2016 server, Outlook Anywhere connections for Exchange 2013 and 2010 mailbox users will be proxied from the 2016 server to the 2013 or 2010 server. For Exchange 2010 mailbox users, Outlook Anywhere authentication needs to be configured on the 2010 server to allow the proxied connections to work.
The following command will display the Outlook Anywhere configuration for Exchange 2010 servers.
|
1 2 3 4 5 6 7 8 |
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,externalhostname,*auth* ServerName : NREXCH10 ExternalHostname : mail.notrealuniversity.com ExternalClientAuthenticationMethod : Ntlm InternalClientAuthenticationMethod : Ntlm IISAuthenticationMethods : {Ntlm} |
If the IISAuthenticationMethods are configured for Basic only, then the following command will add NTLM authentication as well.
|
1 |
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | %{Set-OutlookAnywhere "$_RPC (Default Web Site)" -IISAuthenticationMethods Basic,NTLM} |
OWA Authentication
The default OWA authentication settings for a newly installed Exchange 2016 server are:
- Forms-based authentication
- DomainUsername logon format
If you have a different logon format requirement you should make those changes to the virtual directory settings now before you cut over any namespaces or move any mailboxes. For example, Not Real University uses the user principal name (UPN) as the logon format, which matches the users’ primary email addresses.
Testing Client Access
The cutover of client access namespaces to Exchange 2016 involves a DNS change. If you change the DNS record for your client access namespace, all of your users will begin making connections for some Exchange services to the Exchange 2016 server. If there’s a problem, it will impact all of the users.
To avoid an unexpected problem, it’s advisable to test the client access change before you modify the DNS record. To perform this test you can use a hosts file entry on a test workstation, to point that single client’s connections to the Exchange 2016 server. You can follow the steps outlined in this article to modify the hosts file.
Moving Arbitration Mailboxes
The final task before any production services are cut over to Exchange 2016 is to move the arbitration mailboxes. Arbitration mailboxes are responsible for things like transport moderation and audit logging, and need to be hosted on the highest version of Exchange in the organization. The mailboxes themselves are typically quite small and will move fairly quickly.
In the Exchange Management Shell, run the following command to move the mailboxes to a database on your Exchange 2016 server.
|
1 |
[PS] C:\>Get-Mailbox -Arbitration | New-MoveRequest -TargetDatabase DB2016-01 |
In the next article in this series, we’ll look at performing the cutover of the client access namespaces to Exchange 2016.
If we have OWA with basic auth on 2010 and we configure 2013 also with basic auth. When a user with mailbox on 2010 access OWA on 2013 after CAS switch. He auth on 2013 and then he will be proxied to 2010. Does he need to auth with basic auth again?
Why use Basic auth instead of forms-based auth?
Customer does not want fba cause Basic is wat users are used to user.
But do users need to auth twice (once on 2013 owa & then 2010 owa) if Basic auth is used?
And does this also apply to fba?
If FBA is used and coexistence is set up properly, they only need to auth once.
If Basic is used, I’m not 100% sure because I haven’t tried it lately, but I believe they will get prompted for auth a second time.
FBA is a better use experience. I’m not sure why they would want to stick to Basic.
Paul,
I have Exchange 2016 installed doing a co-existing migration from 2010. I am seeing that when I connect to Exchange 2016 via OWA I can authenticate but it keeps going to only one of my 5 Exchange 2010 CAS servers? Do you have any idea on why that would be? I looked at the IIS logs in 2010 and I see the health check responding it is live and made sure none of the CAS servers are not excluded so I’m confused on why it is only going to one. Any thoughts?
Thanks,
Rob
Hello Paul,
we have an eviroment with one MBX2010 and installed a new MBX2016. All internal URLs are FQDNs. External URLs are mail.company.com.
I know this should be corrected in future.
We wanted to test if EX2016 can proxy internal outlook connection to EX2010 mailboxes. So, on a testclient, we canged the host file like this: IPofEX2016 FQNDofEX2010.
Outlook, when started with a profile for a EX2010 mailbox wants to connect to mail.company.com and gets a certificate warning, because mail.company.com isn’t configured in internal DNS and ends up on the firewall.
Maybe this was a stupid test, but can you explain, why outlook wants to connect to mail.company.com? That URL is not used on any virtual directory at all.
Thx,
Ulli
I can’t see your environment, so it’s hard to say what might be wrong. But it sounds like you realise that your namespaces are not set up properly. So I would suggest doing the work to align your configuration with the recommended practices first.
EDIT:
Should be : That URL is not used on any virtual directory at all as the INTERNALURL
Hello Paul,
When i do a migration from Exchange 2010 to Exchange 2016. Is it neccesary that Outlook Anywhere is configured on Exchange 2010 or can I leave this disabled. It is not configured right now. When it is neccesary to enable it, does this have impact on the current Outlook 2013 clients?
When i set de Autodiscover dns to the Exchange 2016 envirionment we have issue on severall clients not all, that they don’t receive free/busy information in Outlook when the want to schedule a meeting.
I don’t know of any specific scenarios or problems caused by not enabling it, because I always enable it.
When I enable it, does this have impact on the current Outlook 2013 clients? Do they get any pop-ups or are de Outlook profiles being reconfigured?
We are migrating from exchange 2010 to Exchange 2016, all virtual directories has been configured on Exchange 2016 and works fine, but while i am configuring outlook for a mailbox on exchange 2016 or redirecting traffic to exchange 2016 outlook clients start asking for credentials and not picking from user login.
while configuring outlook for new account its not authenticating with windows logon have to put Domain\user and password.