Hi all, My 300 user Exchange 2007 server is dying and I therefore have to get my new servers up and running asap. This means that, sadly, I won't have much time to play with anything. I've bought 4 servers, 4 copies of Exchange 2010 (2 x Enterprise) and am planning to run a DAG across our LES circuits for HA. Each site will have a CAS and Mailbox server. My questions here are: Am I able to retrospectively install a CAS array so that I can get the two main servers up and running to relieve the load on our ailing 2007 ex box? We mainly use RPC over HTTPS (as most users are off site). Am I able to buy a new ssl certificate and install it on two different CAS's? I'm not quite getting that bit yet....I presume you will use an A record and FQDN like ex2010.dom but am unsure whether you can have two SSL's? help! I presume I can add Mailbox servers for DAG's on a seperate subnet on demand so can get the second monster mailbox server up and running at a later date? Thanks in advance for any help. C

With regards to the CAS array, the best thing to do is set that up immediately and then point the host name you are using at one of the CAS server's IP Address. Then all the clients will use the CAS array host name, rather than the CAS server host name. Far easier to do it at the start in that way rather than trying to retrofit the configuration later, which will require every Outlook installation being touched. The CAS array host should NOT resolve externally. It doesn't need to appear in the SSL certificate. Therefore if you are using Outlook Anywhere you would do the following for SSL certificate - same certificate, exported from server 1 and imported in to server 2: host.example.com (common name, used for OWA, EAS, Outlook Anywhere, MX records etc) autodiscover.example.com cas1.domain.local cas2.domain.local cas1 (NETBIOS name) cas2 (NETBIOS name) Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks Simon, That all makes sense (I think!) Where do I install the SSL purchased certificate for Outlook Anywhere? Thanks, Mike

All certificates are on the CAS server/s. Therefore you would purchase a single certificate for everything, with the request/response done on one of the CAS servers. When complete, export it and then import it to the other server. If the certificate requires intermediate certificates, then remember to install those. The only time that is different is if you are using something like TMG/ISA to publish the services. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks again Simon. What roles should I put on the CAS's... all of them bar mailbox I presume? Thanks

In regard to the certificates. I only have a thawte SSL123 cert at present for the external owa/outlook anywhere clients. Is this going to be a massive problem, i.e. just exporting it from the 2007 server and importing to the CAS's? Many thanks, Mike

If you are planning to do a transition from 2007 to 2010 you also need legacy.example.com on the SAN cert if your transition will coexisit for a while. So, you need a new SAN cert mail.example.com (owa, EAS, OA) Autodiscover.example.com legacy.example.com If you doing the transition over a wekkend then you can skip legacy.example.com See http://blogs.technet.com/b/exchange/archive/2009/11/20/3408856.aspx

Thanks for the fast response. What would happen if I used the existing Thawte Cert for mail.example.com (owa, EAS, OA) only please? TIA

If you are not planning on transitioning over a wekend and will coexisit for a while then your E2k7 users cannot access owa,oa,EAS until they are moved to E2k10

Oh dear - is there any way around it without getting a new certificate? I don't think Thawte and Go are open at weekends...

Thinking about this. Is there anyway to install a CAS 2010 Array without activating it? I presume once it's installed, it renders the Ex2007 CAS unusable and thus all clients wouldn't be able to connect?

Are you doing migration over the weekend and not coexisiting for a period of time?

CAs array won't activate unless you change your mail.example.com to point to CAS array. It will not brak E2k7 CAS. You have to move it before you start putting user on 2010. One think to do would be change the autodiscover internal url on e2k10 cas servers to the same as E2k7 to avoid autodiscover pop ups.

The CAS array is just for MAPI connections and will not come in to play until you move mailboxes. It has nothing to do with OWA, Outlook Anywhere, Exchange ActiveSync etc. Bottom line is whether you want users to co-exist or not. If you do, then an additional certificate and host name will be required. If it is only for a short time, then you could get a 30 day certificate from RapidSSL. http://www.freessl.com/ Issue that to your legacy host name, then move your existing certificate to the new server platform. Configure the legacy URL. Users will then connect to the Exchange 2010 server and be redirected to the old server if their mailbox hasn't connected. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi and thanks for all the posts. I definitely want ex2k7 and ex2010 to co-exist as I have 300 users and they are almost all remote using Outlook Anywhere or OWA. If I create the server array but keep everything else as it is I am therefore assuming all will be OK until I install the mailbox servers. At that point I can buy the SSL with multiple SAN etc? Is that correct or am I likely to get 300 calls on Tuesday morning with errors! TIA

The only issue that installing CAS servers might introduce is autodiscover SSL warnings. This is because the new server may publish its own autodiscover address. That is easily avoided by simply setting the value of AutodiscoverServiceInternalURI on set-clientaccessserver to the same URL as the other CAS servers you have. The Exchange 2010 servers will not be used for anything else until you have Exchange 2010 mailboxes. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

If you are planning to do a transition from 2007 to 2010 you also need legacy.example.com on the SAN cert if your transition will coexisit for a while. So, you need a new SAN cert mail.example.com (owa, EAS, OA) Autodiscover.example.com legacy.example.com If you doing the transition over a wekkend then you can skip legacy.example.com See http://blogs.technet.com/b/exchange/archive/2009/11/20/3408856.aspx

If you are not planning on transitioning over a wekend and will coexisit for a while then your E2k7 users cannot access owa,oa,EAS until they are moved to E2k10

Are you doing migration over the weekend and not coexisiting for a period of time?

CAs array won't activate unless you change your mail.example.com to point to CAS array. It will not brak E2k7 CAS. You have to move it before you start putting user on 2010. One think to do would be change the autodiscover internal url on e2k10 cas servers to the same as E2k7 to avoid autodiscover pop ups.

This all sounds excellent! I presume the AutodiscoverServiceInternalURI is set at installation - or can be changed using powershell so I just need to find what it currently is..? I have spoken to Thawte and asked them if my certs will be available this weekend and am awaiting a reply. I presume I create the CSR from the first CAS server then export/import to the other then as per post in this thread. I also presume that Outlook Anywhere clients would not get this popup anyway as the autodiscover.domain.com is not in the current certificate? Thanks again for all the help. I'm sure you've all been on your own facing issues like this and am very very grateful for your advice. Mike

The URL is set to the server's FQDN as part of the installation, and would therefore have to be changed to match a URL in the certificate. Autodiscover.example.com isn't used internally, unless you have set the internal URL to that host name. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Morning all, In way of an update: I now have all servers installed with Exchange. I didn't choose the option on the CAS's to make the servers internet facing and everything on the old server seems to be working well. I am now going to apply for a certificate using a CSR created from CAS1 for: mail.domain.com autodiscover.domain.com cas1.domain.local cas2.domain.local cas1 cas2 legacy.domain.local Are there any other SAN's I need to add as I have 10 I believe ? TIA M

Your legacy address needs to be in your external domain, not the internal one, as clients from outside will be directed to it. If internal users are going to be using OWA as well, then you would need to ensure the external legacy name resolves internally to the correct server as well via a Split DNS system. http://exchange.sembee.info/network/split-dns.asp Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks for this. I'm just about to purchase the Certificate. Do I need CAS1 (Netbios) or CAS1.domain.local - or both? Mike

Thanks for this. I'm just about to purchase the Certificate. Do I need CAS1 (Netbios) or CAS1.domain.local - or both? Mike I usually include both. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

I will as well then ! I'm going to set up NLB on the CAS's later, have you ever seen this go wrong? The second CAS is 300 miles from me! Mike