I'm preparing to upgrade from 2007 to 2010, and I've been reading Technet articles, Exchange team blog posts, and the Deployment Assistant, and I have some questions that I can't seem to find answers to. 1. Legacy domain name - Microsoft "recommends" using legacy.domain.com for the legacy CAS server in the Deployment Assistant. In this doc: http://technet.microsoft.com/en-us/library/dd351133.aspx It says that it "should be" legacy.domain.com. However, neither explains how Ex2010 knows what domain name you're actually using. How does it know where to pass legacy traffic? 2. SAN Cert - So I'm going to need a new san cert with what I'm using now on 2007, mail.domain.com, plus autodiscover.domain.com, plus legacy.domain.com (per recommendation or requirement, depending on which doc you're reading), and maybe outlook.domain.com if I am setting up a CAS array. I'm supposed to install that on the 2010 CAS box, export it and install it on the 2007 CAS box. The question here is that on my existing CAS, I was advised when setting it up (don't have the doc URL handy any longer, sorry) that I needed to include the NetBIOS name of the CAS server, plus the FQDN of the AD domain, such as cas2k7.domain.internal on the SAN cert for the CAS. Is this no longer needed for 2010? Also, in the Deployment Assistant, all it says is to use this command: Import-ExchangeCertificate -Path c:\certificates\import.pfx -Password:(Get-Credential).password to import the cert and do nothing else. Do you need to Enable-ExchangeCertificate for anything? It doesn't seem like just having the cert sitting there is going to do any good without actually using it. Those are the things that are jumping out at me initially, any guidance on those issues would be much appreciated.

I thought it would be clear. It stats that the name has to be associated with Exchange 2007, therefore you change your Exchange 2007 URLs to use the legacy host name. The traffic is then redirected based on that information. You do NOT need to have the RPC CAS array in the SSL certificate, as nothing connects to it using HTTPS. I would strongly encourage you to NOT consider the RPC CAS Array optional, as it will come back to cause you probelms later on. It is much easier to have an RPC CAS Array in place from day one and just have it pointing to the existing CAS role server, than trying to retrofit it. I have never put in the FQDN of the AD domain, nor the root of the external domain. The URLs that I put in to my certificates are: mail.example.com (common name, primary access name for OWA, ActiveSync, Outlook Anywhere and MX records) legacy.example.com (Exchange 2007/2003 legacy host name) autodiscover.example.com host.example.local (Server internal FQDN) host (server NETBIOS). If you have more than one CAS then you have two options. 1. Add all CAS role servers to the certificate. 2. Use a generic name internally - which is NOT the same as your RPC CAS Array. You do need to enable the SSL certificate in the Exchange 2007 server using the shell. In Exchange 2010 you can use the GUI. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Besides, for certificate, I recommend you to use Exchange certificate wizard to create certificate request. CAS, CAS array, NLB IP addresses and certificate names http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/144eecf0-1963-4768-a08a-7c06eb2a79f1/Xiu Zhang TechNet Community Support

No, completely unclear, what Exchange 2007 URLs do you change? And where is this done? Also, the list of URLs you list don't match what's in the Deplyment Assistant. In the section about adding digital certificates it specifically lists the domains needed: mail.domain.com autodiscover.domain.com legacy.domain.com domain.com It never mentions putting netbios names or FQDN internal names (which is what I meant by the FQDN of the AD domain, sorry that wasn't clear), so how am I supposed to know those are still needed?

the Certificate you will need as follow: Include the fully-qualified domain name and netbios name of your Exchange server(s) (e.g, owa.domain.com and owa.local). When using the autodiscover service, include an entry for autodiscover. Autodiscover with Exchange automatically uses autodiscover.yourdomain.com If using a distinct URL for OWA, Activesync, Outlook Anywhere, or any other service you might be using on the Exchange 2010 server, or have any CAS servers involved for which you must create a secure connection, include those names as well, If you are using any CAS servers, make sure to include the netbios and internal fully-qualified domain name of every CAS server involved. If you do not use different URLs for any other secure services, you should have all the Subject Alternate Names you need http://www.digicert.com/ssl-support/exchange-2010-san-names.htm Also you will need to add legacy.yourdomain.com for the Exchange 2007 & 2010 Co-Existence for the Exchange 2007 URL's follow this article it will explain what exactly needed to change on your Exchange 2007 CAS Servers. http://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-ii/

That is exactly the info I needed, thanks. I've been working with Exchange since 5.5 and upgrade documentation is usually excellent, but Microsoft's instructions to get to 2010 are terrible. If you followed the instructions in the Deployment Assistant exactly as they're given, you'd blow up your environment.