The Exchange 2016 migration for Not Real University is getting to the stage where they can start cutting over client access and transport services to the Exchange 2016 Mailbox server. This stage is referred to as coexistence. Before any services are cut over, there's some preparation tasks to perform.
Health Check
First, it's advisable to perform a general health check of the existing production environment. The reason for performing a health check now is to determine if there are any existing problems that you might not already be aware of. If you start a migration, then notice the problems, troubleshooting is more complicated because you will be unsure whether the problem has been caused by the migration or not.
To perform a health check you can:
- Run the Test-ExchangeServerHealth.ps1 script.
- Use the Remote Connectivity Analyzer to test external access such as Outlook Anywhere and ActiveSync.
- Verify that backups for the existing and new Exchange servers are running successfully.
- Review your server event logs for any unusual errors.
- Perform Outlook tests on the network including creating a new Outlook profile, scheduling a meeting and viewing free/busy information for attendees, accessing public folders, and sending/receiving internal and external email.
Outlook Anywhere
When the client access namespaces are cut over to the Exchange 2016 server, Outlook Anywhere connections for Exchange 2013 and 2010 mailbox users will be proxied from the 2016 server to the 2013 or 2010 server. For Exchange 2010 mailbox users, Outlook Anywhere authentication needs to be configured on the 2010 server to allow the proxied connections to work.
The following command will display the Outlook Anywhere configuration for Exchange 2010 servers.
|
1 2 3 4 5 6 7 8 |
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,externalhostname,*auth* ServerName : NREXCH10 ExternalHostname : mail.notrealuniversity.com ExternalClientAuthenticationMethod : Ntlm InternalClientAuthenticationMethod : Ntlm IISAuthenticationMethods : {Ntlm} |
If the IISAuthenticationMethods are configured for Basic only, then the following command will add NTLM authentication as well.
|
1 |
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | %{Set-OutlookAnywhere "$_RPC (Default Web Site)" -IISAuthenticationMethods Basic,NTLM} |
OWA Authentication
The default OWA authentication settings for a newly installed Exchange 2016 server are:
- Forms-based authentication
- DomainUsername logon format
If you have a different logon format requirement you should make those changes to the virtual directory settings now before you cut over any namespaces or move any mailboxes. For example, Not Real University uses the user principal name (UPN) as the logon format, which matches the users' primary email addresses.
Testing Client Access
The cutover of client access namespaces to Exchange 2016 involves a DNS change. If you change the DNS record for your client access namespace, all of your users will begin making connections for some Exchange services to the Exchange 2016 server. If there's a problem, it will impact all of the users.
To avoid an unexpected problem, it's advisable to test the client access change before you modify the DNS record. To perform this test you can use a hosts file entry on a test workstation, to point that single client's connections to the Exchange 2016 server. You can follow the steps outlined in this article to modify the hosts file.
Moving Arbitration Mailboxes
The final task before any production services are cut over to Exchange 2016 is to move the arbitration mailboxes. Arbitration mailboxes are responsible for things like transport moderation and audit logging, and need to be hosted on the highest version of Exchange in the organization. The mailboxes themselves are typically quite small and will move fairly quickly.
In the Exchange Management Shell, run the following command to move the mailboxes to a database on your Exchange 2016 server.
|
1 |
[PS] C:\>Get-Mailbox -Arbitration | New-MoveRequest -TargetDatabase DB2016-01 |
In the next article in this series, we'll look at performing the cutover of the client access namespaces to Exchange 2016.
Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.
If we have OWA with basic auth on 2010 and we configure 2013 also with basic auth. When a user with mailbox on 2010 access OWA on 2013 after CAS switch. He auth on 2013 and then he will be proxied to 2010. Does he need to auth with basic auth again?
Why use Basic auth instead of forms-based auth?
Customer does not want fba cause Basic is wat users are used to user.
But do users need to auth twice (once on 2013 owa & then 2010 owa) if Basic auth is used?
And does this also apply to fba?
If FBA is used and coexistence is set up properly, they only need to auth once.
If Basic is used, I’m not 100% sure because I haven’t tried it lately, but I believe they will get prompted for auth a second time.
FBA is a better use experience. I’m not sure why they would want to stick to Basic.
Hi Paul,
Separate question from this topic,
Question :-Once we move mailbox from exchange 2010 to 2016 it needs to restarted webapppool on all server to connect mailbox ,any fix to autocorrect
OR
Any permanent fix or script which does for all server rather than logging individual ?
Article reffered:- https://support.microsoft.com/en-us/kb/3097392
Restart-WebAppPool MSExchangeAutodiscoverAppPool
Paul,
I have Exchange 2016 installed doing a co-existing migration from 2010. I am seeing that when I connect to Exchange 2016 via OWA I can authenticate but it keeps going to only one of my 5 Exchange 2010 CAS servers? Do you have any idea on why that would be? I looked at the IIS logs in 2010 and I see the health check responding it is live and made sure none of the CAS servers are not excluded so I’m confused on why it is only going to one. Any thoughts?
Thanks,
Rob
Hello Paul,
we have an eviroment with one MBX2010 and installed a new MBX2016. All internal URLs are FQDNs. External URLs are mail.company.com.
I know this should be corrected in future.
We wanted to test if EX2016 can proxy internal outlook connection to EX2010 mailboxes. So, on a testclient, we canged the host file like this: IPofEX2016 FQNDofEX2010.
Outlook, when started with a profile for a EX2010 mailbox wants to connect to mail.company.com and gets a certificate warning, because mail.company.com isn’t configured in internal DNS and ends up on the firewall.
Maybe this was a stupid test, but can you explain, why outlook wants to connect to mail.company.com? That URL is not used on any virtual directory at all.
Thx,
Ulli
I can’t see your environment, so it’s hard to say what might be wrong. But it sounds like you realise that your namespaces are not set up properly. So I would suggest doing the work to align your configuration with the recommended practices first.
EDIT:
Should be : That URL is not used on any virtual directory at all as the INTERNALURL
Hello Paul,
When i do a migration from Exchange 2010 to Exchange 2016. Is it neccesary that Outlook Anywhere is configured on Exchange 2010 or can I leave this disabled. It is not configured right now. When it is neccesary to enable it, does this have impact on the current Outlook 2013 clients?
When i set de Autodiscover dns to the Exchange 2016 envirionment we have issue on severall clients not all, that they don’t receive free/busy information in Outlook when the want to schedule a meeting.
I don’t know of any specific scenarios or problems caused by not enabling it, because I always enable it.
When I enable it, does this have impact on the current Outlook 2013 clients? Do they get any pop-ups or are de Outlook profiles being reconfigured?
We are migrating from exchange 2010 to Exchange 2016, all virtual directories has been configured on Exchange 2016 and works fine, but while i am configuring outlook for a mailbox on exchange 2016 or redirecting traffic to exchange 2016 outlook clients start asking for credentials and not picking from user login.
while configuring outlook for new account its not authenticating with windows logon have to put Domain\user and password.
Hi Paul and thanks for a great guide.
We have Exchange 2010 and 2016 in place (single server), but currently external and internal DNS still points to old 2010 server.
We implemented new reverse proxy for use with 2016 server with working external IP.
We edit hostfile on local computer (that can reach client acces array) and pointed autodisover and mail to new external ip. This works fine, but when setup on computer that is on external network, it stops at the point when we launch outlook (auto configuration works fine). It ask for username and password, but outlook hangs..Looks like this: https://social.technet.microsoft.com/Forums/en-US/41a36318-f6aa-4b4a-82e1-91e5941cc65a/exchange-2010-and-2016-outlook-hangs-during-loading-profile?forum=exchangesvrclients
The account(s) tested is hosted on Exchange 2010. Account hosted on Exchange 2016 works fine.
Any idea?
thanks!
Have you done the co-existence config for Outlook Anywhere?
Hi.Is it necessary to move Arbitration mailbox at this point or we can migrate them later before moving user mailboxes?
Is there a reason you don’t want to move them?
Not an special reason.Just because in your Pluralsight videos you do that before moving user mailboxes and I document our migration based on that.
I don’t really understand what you’re asking then. The arbitration mailboxes need to be moved first before you move any other mailboxes, that’s the golden rule here.
I thought maybe there is a need for moving them before mail flow migration.
Sorry.I lost the order of migration.You are right
Paul,
What are the consequences of not moving the arbitration mailboxes before migrating mailboxes fri 2010?
Per the article: “Arbitration mailboxes are responsible for things like transport moderation and audit logging, and need to be hosted on the highest version of Exchange in the organization.”
Move them first, otherwise those things won’t work.
Hi Paul
please advice me urgently for this case:
i have 2 exchange 2010 and 2016 same like this article everything working until i have stuck when all mailboxes still exist on exchange 2010 and i have to proxy the access through exchange 2016..
i changed HOSTS file to redirect mail.domainname.com to exchange 2016 and normally proxy the OWA connection to 2010.
put when i try to open outlook it gives me this message:
Cannot open the Outlook windows. The set of folders cannot be Opened. You must connect to Microsoft Exchange with the current profile.
is this cuz exchange 2010 works MAPI/RPC and 2016 works MAPI/HTTP?
and if yes what i have to do?
What is your CAS Array namespace for Exchange 2010?
i dont have cas array i have 1 exchange 2010 Multi-Role and exchange 2016
and i have 1 name space (mail.gbands.xyz)
Ok what is the RPCClientAccessServer property set to on the Exchange 2010 databases?
When i ran :
Get-MailboxDatabase Databasename |select *RPCclientaccessserver*
RpcClientAccessServer
———————
mail.gbands.xyz
Please Paul i am still waiting your answer why exchange 2016 not proxy RPC connection for internal outlook users.
If Outlook Anywhere is disabled on Exchange 2010, will it need to be enabled so Exchange 2016 can proxy connections back?
I always enable it, even when the customer says they don’t use it.
Proxy is not working for me from 2016 to 2010 for mailboxes. Did I need to set both internal and external to basic and NTLM?
Oops, dumb question sorry. We’re setting IIS authentication… Either way There is something that’s not working for me. IIS is set to Basic+NTLM. Funny thing is it works on Outlook 2010 but not on 2016. Here is what’s happening.
https://social.technet.microsoft.com/Forums/ie/en-US/68270de0-241b-4da6-92a6-5b5ec5c1c2f2/outlook-2016-cannot-add-new-appointment-to-shared-calendar-for-which-i-have-editor-permission?forum=Office2016ITPro
Depends on many things. If Kerberos auth was deployed for Exchange 2010 but hasn’t been set up for the 2016 co-existence then that can cause problems. Otherwise it’s hard to say without being able to see the environment. I’d suggest opening a support case.
Hi Paul,
(migrating single Exchange 2013 to 2016, Mailbox role only)
By misstake is moved a few User Mailboxes before the Arbitration mailboxes to the new Exchange 2016 database.
What is the best thing to do now?
Thanks in advance.
Best regards,
Arthur
Move the arbitration mailboxes.
Thanks for the quick answer, so no disadvantages to do that afterwards?
No, but you should correct your error by moving them next before you move any more user mailboxes.
I am getting below error while moving Arbitration mailboxes
Unsupported target database version. The New-MoveRequest cmdlet can only move mailboxes to databases mounted on server
s running one of the following versions of Exchange: Exchange 2010, Exchange 2007 (SP2 and later), Exchange 2003 (SP2 a
nd later).
+ CategoryInfo : InvalidArgument: (INFO-DB01:DatabaseIdParameter) [], RecipientTaskException
+ FullyQualifiedErrorId : D930D9F3
got it i was running command on exchange 2010 shell, i have to run it on exchange 2016 shell
First off, I just want to thank you for putting together these guides, they are absolutely amazing and extremely helpful.
Our exchange environment is about as basic as it gets: 1 Exchange 2010 running Hub, CAS, MBX and all of our incoming mail is delivered from a third party spam filter appliance.
I’m running into the following issue after introducing Exchange 2016 and cutting over the namespace:
I am able to access OWA and configure a profile on an Outlook client successfully, but when attempting to open Outlook, I get the error:
‘Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The file C:\users\username\AppData\Local\Microsoft\Outlok\username@domain.com.ost is not an Outlook data file (.ost).’
I have attempted to configure a brand new Outlook profile on a brand new Windows 10 machine with 2 different user accounts that had never logged into the machine with the same above result.
Any advice/guidance would be GREATLY appreciated!
Thanks,
Nick