• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Exchange Server 2016 Migration – Preparing for Coexistence

Exchange Server 2016 Migration – Preparing for Coexistence

December 1, 2016 by Paul Cunningham 50 Comments

The Exchange 2016 migration for Not Real University is getting to the stage where they can start cutting over client access and transport services to the Exchange 2016 Mailbox server. This stage is referred to as coexistence. Before any services are cut over, there’s some preparation tasks to perform.

Health Check

First, it’s advisable to perform a general health check of the existing production environment. The reason for performing a health check now is to determine if there are any existing problems that you might not already be aware of. If you start a migration, then notice the problems, troubleshooting is more complicated because you will be unsure whether the problem has been caused by the migration or not.

To perform a health check you can:

  • Run the Test-ExchangeServerHealth.ps1 script.
  • Use the Remote Connectivity Analyzer to test external access such as Outlook Anywhere and ActiveSync.
  • Verify that backups for the existing and new Exchange servers are running successfully.
  • Review your server event logs for any unusual errors.
  • Perform Outlook tests on the network including creating a new Outlook profile, scheduling a meeting and viewing free/busy information for attendees, accessing public folders, and sending/receiving internal and external email.

Outlook Anywhere

When the client access namespaces are cut over to the Exchange 2016 server, Outlook Anywhere connections for Exchange 2013 and 2010 mailbox users will be proxied from the 2016 server to the 2013 or 2010 server. For Exchange 2010 mailbox users, Outlook Anywhere authentication needs to be configured on the 2010 server to allow the proxied connections to work.

The following command will display the Outlook Anywhere configuration for Exchange 2010 servers.

1
2
3
4
5
6
7
8
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,externalhostname,*auth*
 
 
ServerName                         : NREXCH10
ExternalHostname                   : mail.notrealuniversity.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Ntlm}

If the IISAuthenticationMethods are configured for Basic only, then the following command will add NTLM authentication as well.

1
[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*14.*" -and $_.IsClientAccessServer} | %{Set-OutlookAnywhere "$_RPC (Default Web Site)" -IISAuthenticationMethods Basic,NTLM}

OWA Authentication

The default OWA authentication settings for a newly installed Exchange 2016 server are:

  • Forms-based authentication
  • DomainUsername logon format

If you have a different logon format requirement you should make those changes to the virtual directory settings now before you cut over any namespaces or move any mailboxes. For example, Not Real University uses the user principal name (UPN) as the logon format, which matches the users’ primary email addresses.

owa-virtual-directory

Testing Client Access

The cutover of client access namespaces to Exchange 2016 involves a DNS change. If you change the DNS record for your client access namespace, all of your users will begin making connections for some Exchange services to the Exchange 2016 server. If there’s a problem, it will impact all of the users.

To avoid an unexpected problem, it’s advisable to test the client access change before you modify the DNS record. To perform this test you can use a hosts file entry on a test workstation, to point that single client’s connections to the Exchange 2016 server. You can follow the steps outlined in this article to modify the hosts file.

Moving Arbitration Mailboxes

The final task before any production services are cut over to Exchange 2016 is to move the arbitration mailboxes. Arbitration mailboxes are responsible for things like transport moderation and audit logging, and need to be hosted on the highest version of Exchange in the organization. The mailboxes themselves are typically quite small and will move fairly quickly.

In the Exchange Management Shell, run the following command to move the mailboxes to a database on your Exchange 2016 server.

1
[PS] C:\>Get-Mailbox -Arbitration | New-MoveRequest -TargetDatabase DB2016-01

In the next article in this series, we’ll look at performing the cutover of the client access namespaces to Exchange 2016.

Exchange Server Coexistence, Exchange 2016, Migration

Comments

  1. Daryl says

    November 16, 2019 at 4:21 am

    Hi Paul,

    Excellent tutorial. For the arbitration mailboxes, I’m assuming those are being moved from our current Exchange 2010/2013 server to a database on the new 2016 server? Is that correct? If that’s the case, does the powershell command you provided need to be run on the 2010/2013 server or the 2016 server?

    Does it matter which database these mailboxes are moved to, or do they just need to be on any of the new 2016 databases?

    Thank you!

    Reply
  2. Alan says

    October 8, 2019 at 1:23 pm

    Hi Paul. Great tutorial, thanks heaps, invaluable.

    I am having issues opening the ‘Configuring Mailbox Databases’ page of this tutorial though.
    I’ve tested opening the URL from different devices but I still see the “Sorry offline for Maintenance” page for Prac365.
    Is the page information actually being updated at the moment? Any ETA on when it will be available to view?

    This is the URL
    https://practical365.com/exchange-server/exchange-server-2016-migration-configuring-mailbox-databases/

    Thanks

    Reply
  3. Daniel says

    August 28, 2019 at 11:11 am

    Your cmdlet to see the auth settings doesnt work for me.
    I had to change “…Set-OutlookAnywhere “$_RPC (Default Web…”
    to “…Set-OutlookAnywhere “$_\rpc (Default Web…”
    The difference being the \ before the rpc

    Reply
  4. David S. says

    July 25, 2019 at 6:38 am

    Hi Paul, we have a 2010 CAS array (outlook.domain.com) for internal connections without Outlook Anywhere enabled. Then another 2010 CAS array (email.domain.com) in the DMZ for external connections with Outlook Anywhere enabled.

    Does Outlook Anywhere need to be enabled on the internal 2010 CAS servers in order for coexistence to work, or only on the external facing CAS servers?

    The reason I ask is when I enable OA on the internal 2010 CAS servers. We start getting Outlook connectivity issue from end users.

    Thanks much!
    David

    Reply
  5. Kalees says

    July 25, 2019 at 2:10 am

    Can we install exchange 2016 servers in existing 2010 environment with out changing the URL,?..If all the mailboxes are available in 2010 and will change URL later and move the mailbox to 2016

    Reply
  6. Ishtvan Balint says

    May 23, 2019 at 5:39 am

    Thanks for this. When I try accessing a mailbox still on 2010 via owa i get this: Redirect loop detected.
    Host files modified to point to 2016. No issues accessing mailboxes on 2016. Internally it works from the server. If I go via IP externally the redirect to 2010 works. Any clues?
    Thanks

    Reply
  7. Ben says

    April 17, 2019 at 9:52 pm

    Hello Paul,
    I started migrating mailboxes users from 2010 to 2016 and I notice freebusy issues. Can this be due to System Mailboxes that I haven’t migrated before? And if so, is there a risk after migration of these System Mailboxes for 2010 mailboxes during the coexistence period?
    Thanks a lot 🙂

    Reply
  8. Nick Lofland says

    November 13, 2018 at 7:19 am

    First off, I just want to thank you for putting together these guides, they are absolutely amazing and extremely helpful.

    Our exchange environment is about as basic as it gets: 1 Exchange 2010 running Hub, CAS, MBX and all of our incoming mail is delivered from a third party spam filter appliance.

    I’m running into the following issue after introducing Exchange 2016 and cutting over the namespace:

    I am able to access OWA and configure a profile on an Outlook client successfully, but when attempting to open Outlook, I get the error:

    ‘Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The file C:\users\username\AppData\Local\Microsoft\Outlok\username@domain.com.ost is not an Outlook data file (.ost).’

    I have attempted to configure a brand new Outlook profile on a brand new Windows 10 machine with 2 different user accounts that had never logged into the machine with the same above result.

    Any advice/guidance would be GREATLY appreciated!

    Thanks,

    Nick

    Reply
  9. Bhushan says

    April 20, 2018 at 11:01 pm

    I am getting below error while moving Arbitration mailboxes

    Unsupported target database version. The New-MoveRequest cmdlet can only move mailboxes to databases mounted on server
    s running one of the following versions of Exchange: Exchange 2010, Exchange 2007 (SP2 and later), Exchange 2003 (SP2 a
    nd later).
    + CategoryInfo : InvalidArgument: (INFO-DB01:DatabaseIdParameter) [], RecipientTaskException
    + FullyQualifiedErrorId : D930D9F3

    Reply
    • Bhushan says

      April 20, 2018 at 11:08 pm

      got it i was running command on exchange 2010 shell, i have to run it on exchange 2016 shell

      Reply
  10. Arthur says

    March 7, 2018 at 8:08 pm

    Thanks for the quick answer, so no disadvantages to do that afterwards?

    Reply
    • Paul Cunningham says

      March 7, 2018 at 8:14 pm

      No, but you should correct your error by moving them next before you move any more user mailboxes.

      Reply
  11. Arthur says

    March 7, 2018 at 7:28 pm

    Hi Paul,

    (migrating single Exchange 2013 to 2016, Mailbox role only)
    By misstake is moved a few User Mailboxes before the Arbitration mailboxes to the new Exchange 2016 database.
    What is the best thing to do now?
    Thanks in advance.

    Best regards,

    Arthur

    Reply
    • Paul Cunningham says

      March 7, 2018 at 8:01 pm

      Move the arbitration mailboxes.

      Reply
  12. Xerxes Baldonasa says

    November 2, 2017 at 7:01 am

    Proxy is not working for me from 2016 to 2010 for mailboxes. Did I need to set both internal and external to basic and NTLM?

    Reply
    • Xerxes Baldonasa says

      November 2, 2017 at 7:19 am

      Oops, dumb question sorry. We’re setting IIS authentication… Either way There is something that’s not working for me. IIS is set to Basic+NTLM. Funny thing is it works on Outlook 2010 but not on 2016. Here is what’s happening.

      https://social.technet.microsoft.com/Forums/ie/en-US/68270de0-241b-4da6-92a6-5b5ec5c1c2f2/outlook-2016-cannot-add-new-appointment-to-shared-calendar-for-which-i-have-editor-permission?forum=Office2016ITPro

      Reply
      • Paul Cunningham says

        November 2, 2017 at 9:28 am

        Depends on many things. If Kerberos auth was deployed for Exchange 2010 but hasn’t been set up for the 2016 co-existence then that can cause problems. Otherwise it’s hard to say without being able to see the environment. I’d suggest opening a support case.

        Reply
  13. Derek Gagnon says

    October 20, 2017 at 6:37 am

    If Outlook Anywhere is disabled on Exchange 2010, will it need to be enabled so Exchange 2016 can proxy connections back?

    Reply
    • Paul Cunningham says

      October 20, 2017 at 6:59 am

      I always enable it, even when the customer says they don’t use it.

      Reply
  14. Meena Soliman says

    September 29, 2017 at 10:54 pm

    Hi Paul
    please advice me urgently for this case:
    i have 2 exchange 2010 and 2016 same like this article everything working until i have stuck when all mailboxes still exist on exchange 2010 and i have to proxy the access through exchange 2016..
    i changed HOSTS file to redirect mail.domainname.com to exchange 2016 and normally proxy the OWA connection to 2010.
    put when i try to open outlook it gives me this message:
    Cannot open the Outlook windows. The set of folders cannot be Opened. You must connect to Microsoft Exchange with the current profile.

    is this cuz exchange 2010 works MAPI/RPC and 2016 works MAPI/HTTP?
    and if yes what i have to do?

    Reply
    • Paul Cunningham says

      September 30, 2017 at 12:17 pm

      What is your CAS Array namespace for Exchange 2010?

      Reply
      • Meena Soliman says

        September 30, 2017 at 9:33 pm

        i dont have cas array i have 1 exchange 2010 Multi-Role and exchange 2016
        and i have 1 name space (mail.gbands.xyz)

        Reply
        • Paul Cunningham says

          October 1, 2017 at 10:01 am

          Ok what is the RPCClientAccessServer property set to on the Exchange 2010 databases?

          Reply
          • Meena Soliman says

            October 1, 2017 at 9:12 pm

            When i ran :
            Get-MailboxDatabase Databasename |select *RPCclientaccessserver*

            RpcClientAccessServer
            ———————
            mail.gbands.xyz

          • Meena Soliman says

            October 2, 2017 at 6:42 pm

            Please Paul i am still waiting your answer why exchange 2016 not proxy RPC connection for internal outlook users.

  15. Nima says

    August 8, 2017 at 1:55 pm

    Hi.Is it necessary to move Arbitration mailbox at this point or we can migrate them later before moving user mailboxes?

    Reply
    • Paul Cunningham says

      August 8, 2017 at 2:19 pm

      Is there a reason you don’t want to move them?

      Reply
      • Nima says

        August 8, 2017 at 6:46 pm

        Not an special reason.Just because in your Pluralsight videos you do that before moving user mailboxes and I document our migration based on that.

        Reply
        • Paul Cunningham says

          August 8, 2017 at 9:48 pm

          I don’t really understand what you’re asking then. The arbitration mailboxes need to be moved first before you move any other mailboxes, that’s the golden rule here.

          Reply
          • Nima says

            August 9, 2017 at 1:24 pm

            I thought maybe there is a need for moving them before mail flow migration.

          • Nima says

            August 9, 2017 at 4:18 pm

            Sorry.I lost the order of migration.You are right

          • Jesus says

            April 5, 2018 at 11:55 pm

            Paul,
            What are the consequences of not moving the arbitration mailboxes before migrating mailboxes fri 2010?

          • Paul Cunningham says

            April 6, 2018 at 8:36 am

            Per the article: “Arbitration mailboxes are responsible for things like transport moderation and audit logging, and need to be hosted on the highest version of Exchange in the organization.”

            Move them first, otherwise those things won’t work.

  16. 0ff2w0rk says

    July 27, 2017 at 10:25 pm

    Hi Paul and thanks for a great guide.
    We have Exchange 2010 and 2016 in place (single server), but currently external and internal DNS still points to old 2010 server.
    We implemented new reverse proxy for use with 2016 server with working external IP.
    We edit hostfile on local computer (that can reach client acces array) and pointed autodisover and mail to new external ip. This works fine, but when setup on computer that is on external network, it stops at the point when we launch outlook (auto configuration works fine). It ask for username and password, but outlook hangs..Looks like this: https://social.technet.microsoft.com/Forums/en-US/41a36318-f6aa-4b4a-82e1-91e5941cc65a/exchange-2010-and-2016-outlook-hangs-during-loading-profile?forum=exchangesvrclients
    The account(s) tested is hosted on Exchange 2010. Account hosted on Exchange 2016 works fine.

    Any idea?

    thanks!

    Reply
    • Paul Cunningham says

      July 27, 2017 at 11:12 pm

      Have you done the co-existence config for Outlook Anywhere?

      Reply
  17. Selai says

    April 20, 2017 at 12:34 am

    We are migrating from exchange 2010 to Exchange 2016, all virtual directories has been configured on Exchange 2016 and works fine, but while i am configuring outlook for a mailbox on exchange 2016 or redirecting traffic to exchange 2016 outlook clients start asking for credentials and not picking from user login.
    while configuring outlook for new account its not authenticating with windows logon have to put Domain\user and password.

    Reply
  18. Erwin Rook says

    April 12, 2017 at 6:46 pm

    Hello Paul,

    When i do a migration from Exchange 2010 to Exchange 2016. Is it neccesary that Outlook Anywhere is configured on Exchange 2010 or can I leave this disabled. It is not configured right now. When it is neccesary to enable it, does this have impact on the current Outlook 2013 clients?

    When i set de Autodiscover dns to the Exchange 2016 envirionment we have issue on severall clients not all, that they don’t receive free/busy information in Outlook when the want to schedule a meeting.

    Reply
    • Paul Cunningham says

      April 12, 2017 at 8:09 pm

      I don’t know of any specific scenarios or problems caused by not enabling it, because I always enable it.

      Reply
      • Erwin Rook says

        April 14, 2017 at 5:39 pm

        When I enable it, does this have impact on the current Outlook 2013 clients? Do they get any pop-ups or are de Outlook profiles being reconfigured?

        Reply
  19. Ulli says

    March 7, 2017 at 1:36 pm

    EDIT:

    Should be : That URL is not used on any virtual directory at all as the INTERNALURL

    Reply
  20. Ulli says

    March 7, 2017 at 1:34 pm

    Hello Paul,

    we have an eviroment with one MBX2010 and installed a new MBX2016. All internal URLs are FQDNs. External URLs are mail.company.com.
    I know this should be corrected in future.

    We wanted to test if EX2016 can proxy internal outlook connection to EX2010 mailboxes. So, on a testclient, we canged the host file like this: IPofEX2016 FQNDofEX2010.
    Outlook, when started with a profile for a EX2010 mailbox wants to connect to mail.company.com and gets a certificate warning, because mail.company.com isn’t configured in internal DNS and ends up on the firewall.

    Maybe this was a stupid test, but can you explain, why outlook wants to connect to mail.company.com? That URL is not used on any virtual directory at all.

    Thx,
    Ulli

    Reply
    • Paul Cunningham says

      March 7, 2017 at 8:58 pm

      I can’t see your environment, so it’s hard to say what might be wrong. But it sounds like you realise that your namespaces are not set up properly. So I would suggest doing the work to align your configuration with the recommended practices first.

      Reply
  21. Rob Moritz says

    March 3, 2017 at 2:07 am

    Paul,

    I have Exchange 2016 installed doing a co-existing migration from 2010. I am seeing that when I connect to Exchange 2016 via OWA I can authenticate but it keeps going to only one of my 5 Exchange 2010 CAS servers? Do you have any idea on why that would be? I looked at the IIS logs in 2010 and I see the health check responding it is live and made sure none of the CAS servers are not excluded so I’m confused on why it is only going to one. Any thoughts?

    Thanks,
    Rob

    Reply
  22. INDRA says

    December 10, 2016 at 6:06 pm

    Hi Paul,

    Separate question from this topic,
    Question :-Once we move mailbox from exchange 2010 to 2016 it needs to restarted webapppool on all server to connect mailbox ,any fix to autocorrect

    OR

    Any permanent fix or script which does for all server rather than logging individual ?

    Article reffered:- https://support.microsoft.com/en-us/kb/3097392
    Restart-WebAppPool MSExchangeAutodiscoverAppPool

    Reply
  23. Jason says

    December 3, 2016 at 4:49 am

    Customer does not want fba cause Basic is wat users are used to user.
    But do users need to auth twice (once on 2013 owa & then 2010 owa) if Basic auth is used?
    And does this also apply to fba?

    Reply
    • Paul Cunningham says

      December 5, 2016 at 4:47 pm

      If FBA is used and coexistence is set up properly, they only need to auth once.

      If Basic is used, I’m not 100% sure because I haven’t tried it lately, but I believe they will get prompted for auth a second time.

      FBA is a better use experience. I’m not sure why they would want to stick to Basic.

      Reply
      • Kalees says

        July 25, 2019 at 2:07 am

        Can we install exchange 2016 servers in existing 2010 environment with out changing the URL,?..If all the mailboxes are available in 2010 and will move later to 2016.

        Reply
        • Trank0 says

          July 26, 2019 at 5:34 pm

          Of course, you just need to set all the virtualdirectories with your Internal URL, of course all servers must be in the same SITE, later you must change the load balance to point your URL to the 2016 IPs.

          Reply
  24. Jason says

    December 2, 2016 at 4:21 pm

    If we have OWA with basic auth on 2010 and we configure 2013 also with basic auth. When a user with mailbox on 2010 access OWA on 2013 after CAS switch. He auth on 2013 and then he will be proxied to 2010. Does he need to auth with basic auth again?

    Reply
    • Paul Cunningham says

      December 2, 2016 at 5:34 pm

      Why use Basic auth instead of forms-based auth?

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Weekly Update: S2, Ep 9 – Controversial Teams guest changes and a roundup of important Microsoft 365 announcements and features
  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland