Hi,I wonder if it's possible to install Exchange 2007 on a new domain tree ? Exchange 2003 is already running a the first domain of the forest. But unfortunately this domain is alreay taken on internet so I request a SAN certificate. The new domain tree is a domain we own so we could request the SAN certificate. But I don't know if Exchange 2007 will see the Exchange 2003 mailboxes located on the other domain and whether the mailboxes from the other domain can be imported to the new one without importing the users. I don't mind if the users and all other objects are not imported from the other domain. If it must be imported I could use ADMT I guess. But I didn't find any information about installing Exchange 2007 on a new domain tree when Exchange 2003 is already running on another domain of the same forest. But it would be easier to go this way than building a new forest. Thanks for any comment or advice

What are you trying to accomplish here?Are you going for a transition to Exchange 2007? larsp at avanade dot com, http://anewmessagehasarrived.blogspot.com

Yes a transition (migration) from Exchange 2003 to Exchange 2007. I would have not created a new tree domain just because we're upgrading to Exchange 2007. But the new OWA and autodiscover require more than one Subject alterrnative names, including the local FQDN (autodiscover.mylocaldomain.com and so on) Unfortunately, as I said the local domain we're using (mylocaldomain.com) is also an internet domain we don't own. The third party SSL provider has rejected our SAN certificate request. We were owning this domain 3 years ago, but the firm changed its name. Too bad I should have kept it. This is why we have to move on a domain we own (or mydomain.local) such as the new domain tree we've created within the same forest (mypublicdomain.com)

Is it correct that your certificate request was rejected because you added the internal server names in the request and the internal namespace dont belong to you anymore?One solution would be to not include the internal names in the request. Another one (more complex) could be to build a new tree in the same forest, and then deal with migration of user/group and resources to the new tree.Building a new forest is also one possible solution, but its also complex.larsp at avanade dot com, http://anewmessagehasarrived.blogspot.com

Yes it is correct, the domain, let's say abc.ca, is the internal domain names. The new public domain is abcd.ca so I can get all SAN for abcd.ca but abc.ca of course does not belong to us anymore.If I don't include the internal domain, the autodiscover and all other local SSL required with Exchange 2007 will keep the local users to use Outlook without having a warning. Unfotunately, Exchange 2007 is already prep for the forest and domain abc.ca and the CAS server is installed. The migration should have been easy for us without the SSL issue. But as far as I understand, although Exchange 2007 is uninstalled and reinstalled on the new domain tree (abcd.ca) it is bound to the forest and the first domain abc.ca so I still need the SAN for abc.caThe only solution I see is to create a new forest. But it will take long to migrate everything. Besides, our current forest and domain are well managed. We have no trouble at all with the applications and services running. So there is a bit of frustration here. I thought it would have been easier to migrate from a tree to another or a forest to another with Windows 2008, but it's not. No magic here. I should have kept the domain abc.ca

Unfortunately, You can have only one Exchange 2003/2007 organization per forest. Having another tree in the forest does not effect this.If you need to create a new forest...and I'm not sure you do since you never mentioned yout business requirements...You will needmigrate your users/mailboxes/computersusing ADMT...this is common for many "spin-off" scenarios.If you just need to change the names in your SAN certificate for autodiscovery to work...there is a lot better ways thensetting up a newforest. John GilhamPrincipal Consultant Gilham ConsultingAdvanced Microsoft Solutions Web: www.Gilham.org

Thanks, but I just don't see how I can use autodiscover or any other local required SAN for Exchange 2007 without having the SAN with the local domain name ? The local domain (the one I can't get the SAN for) Autodiscover and OWA will work for the users from the outside (abcd.ca) but from the inside in I need SAN with the local domain (abc.ca) I can't just change my name ? Do you mean I could simply use any name I add in the local DNS such as adding abc.local in the DNS and using it for Exchange ? I'm not sure to follow.

Before I explain setting up Exchange 2007 using a disjointed DNS namespace....lets make sure we are solving the correct problem.Do you simply need an Exchange 2007 server to coexisit with your Exchange 2003 servers? Pleaseinclude your migration strategy, coexisistence duration required (more then a weekend), and if your using an internal certificate authority...or an external one.Some notes that might help- Internally, Autodiscover typically uses AD, not DNS. Also, you can disable SSL all together if for a smaller enviroment. John GilhamPrincipal Consultant Gilham ConsultingAdvanced Microsoft Solutions Web: www.Gilham.org

1 - I need an Exchange 2007 server (we already have 2 CAS in NLB running and we will deploy 2 mailbox, 2 HUB and later Edge) to coexist for a period of time. We will transfer several users to exchange 2007 while the others user will still be on Exchange 2003. (please note that Exchange 2003 will keep its own access for OWA mymail.abcd.ca and a new one is dedicated for Exchange 2007 CAS mail.abcd.ca, the users will simply have to change this address and it allows us to do the migration slowly. But at the end all users will be transfered and all Exchange 2003 will be removed. The timeframe is a month.2 - We are using one Godaddy deluxe SAN certificate for Exchange 2007 (external) We're not using internal self-signed certificate. I want te keep it as simple as it can be. 3 - Autodiscover uses AD but Exchange 2007 needs a SSL for the local domain too, isn't ?Thanks again for your help

You have atwo options:1. You can disable SSL, and just use HTTP internally for OAB distribution and Free Busy Updates from Outlook2007 clients. Not the most secure,but will work. ExchangeNinjas has a powershell script. Just use HTTP instead of HTTPS for your internal URLS. http://www.exchangeninjas.com/set-allvdirs.. This is also where you set the correct external DNS name, if it is different fromyour internal local DNS.2. You can the default self signed certificates installed by default in a domain GPO. You add them to the"Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities" section of the GPO.Lastly, typically to save costs, you can have the CAS and Hubs on the same servers depending on your utilization. John GilhamPrincipal Consultant Gilham ConsultingAdvanced Microsoft Solutions Web: www.Gilham.org

I'm trying to find the easiest way. the second one seems to be the easier solution. BUt I'm not sure to fully understand. I'm still need the third party SAN certificate for the external users isn't ? So I would have 2 SAN certificate but I don't see how I can use 2 SSL certificate in IIS7We have all the ressources to run 2 CAS in NLB (already up and running) and 2 HUB. I prefer not to use the HUB servers in NLB although it's now supported in SP1. We have 2 dedicated physical host with 2 Quad Core and 32GB RAM each running vmware ESX 3.5 update 3 and also to iSCSI SAN, virtual center, vmotion and HA So I can run as many Exchange 2007 as we need. But abc.ca is the issue. So frustrating !

You really need to look in to how internal and external urls differ in Exchange 2007 before you proceed...there are many options.Also, you can front-end any internal cert with a reverse proxy by adding ISA 2006. That will be the simplest solution...but you must make sure that ISA/Active Directory userstrusts the self signed certificates when managed internally.Good Luck! John GilhamPrincipal Consultant Gilham ConsultingAdvanced Microsoft Solutions Web: www.Gilham.org

the main internal urls ishttps://mail.abc.ca/owa (which is the DNS added for the CAS servers in NLBs2008excas01 ands2008excas02)and the external urls is https://mail.abcd.caIf I use ISA 2006 SP1, I still need the third party certificate I can't use only the self signed SAN certificate. To my understanding I can have only 1 SSL cert by Web server (IIS7) Is it something I can overcome with ISA ? I'm not very familiar with all the features in ISA 2006 SP1.Thanks

You will need a externalcertificate for the ISA server (you will need a SAN certificate)...which will proxy or "convert" the public ssl certificate to your private, selfsigned certificates hosted on your CAS servers.

Ok now I begin to understand. The ISA we want to set up will be a back-end firewall and a dual homed ISA server. My reference is the book "integrating ISA server 2006 with Microsoft Exchange 2007" and also isaserver.org. But it doesn't cover the proxying when an external certificate is used for the ISA and a self signed on the CAS. If you know a book or web site that covers this topic it would be very hellful.Thank you very much

Here are a few articles that will help:http://technet.microsoft.com/en-us/library/bb266987.aspxhttp://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.htmlhttp://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html John GilhamPrincipal Consultant Gilham ConsultingAdvanced Microsoft Solutions Web: www.Gilham.org