how to move a Client Access role and Hub Transport role to a new server
1. I exported the certificate using mmc & while importing this to the new server found the certificate already existed in the personal-certificate directory. However, I completed the import process &igot thepop-up window saying import successful.
2. i ran the Get-ExchangeCertificate -DomainName server2.domain.local (which is the FQDN of the new server). I got the result as
Thumbprint Services Subject
---------- -------- -------
3DB4ECD1F43FC1457FE7A71402C863FA9BBBEFA6 IP.WS CN=SERVER2
However, i ran Get-ExchangeCertificate -DomainName email.domain.com (which is the FQDN on the imported certificate). I got the result as
Thumbprint Services Subject
---------- -------- -------
B61BB06A398BE31FAA1C6958EBC1DEABB3022F8D ..... CN=email.domain.com, ...
Please advise, if i need to enable the services (POP3 & SMTP) on the email.domain.com?
Again, I need to keep OWA on the old server as of now along with the http/https services.
Please advise on whats next & how to complete this excercise.
--------------------------------------------------------------------------------------------------------------
Now after installing the hub & CAS services on the new server, some Outlook 2007 users are complaining of getting a pop-up
Microsoft Office Outlook
There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site.
Please advise if this is related to our excercise and how we can resolve this asap.
----------------------------------------------------------------------------------------------------------------
May I go ahead the update the new server for the current updates
-------------------------------------------------------------------------------------------------------------------
Our current scenario is
Edge Services - Mcafee Gateway Appliance
Hub, CAS, Mailbox, OWA - Exchange Server
All MX records are pointing to the Mcafee Email Security Gateway Appliance
We are currently changing our scenario such that we are removing the Mcafee Gateway Appliance & replacing the Mcafee Gateway Client with Symantec Email Cloud Security. Our MX records will point to the Symantec Email Cloud
We are moving the Hub & CAS services (POP3 + SMTP) to a new front end server
The existing exchange server will run the Mailbox Services & OWA.
Now as we complete our excercise, my network team will map the public ip of our mcafee email gateway (which is deactivated) to the local IP of the new server.
My task is to ensure the mail flow is enabled & activated between the 2 servers & then I must point the MX records to the symantec cloud.
Please advise on how i can complete my task without any downtime & at the earliest.
-------------------------------------------------------------------------------------------------------------------------------------
April 28th, 2012 8:46am
Hi Philip,
You cannot move the roles as like fsmo roles.. you have to install Exchange 2007 (HUB & CAS) roles on new server and have to remove from existing server.. Kottees : My Blog : Please mark it as an answer if it really helps you.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 10:18am
Option 1 ,
Get a HUB and Client access role installed on the new server and
Change your mailflow to that Server and Configure OWA to the new server
No Downtime
Option 2 :
Needs downtime ,
Turn off the server gracefully
Ujoin from the domain , Reset the comp account in AD
----
Bring the new server with same name , same ip
Do Setup.com /recoverserverSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 11:34am
Hi Sathesh,
why we need to unjoin the server from domain... we can remove HUB/CAS roles using Exchange Maintenance Mode
http://technet.microsoft.com/en-us/library/bb124115(v=exchg.80).aspxKottees : My Blog : Please mark it as an answer if it really helps you.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 11:40am
Hi Kotees,
Removing the Server in Exchange Maintanance mode will remove the Server from Active Directory
Then
Recover Server wouldn't be possible
----------------
Recoverserver needs an Object in Active Directory. This the Process we do in Disaster Recovery .
But we can do it in our Scenario as wellSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 11:43am
yeah thanks for the info. Modifying can be tried right.. pls see here
http://technet.microsoft.com/en-us/library/bb124273(v=exchg.80).aspx
Kottees : My Blog : Please mark it as an answer if it really helps you.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 12:04pm
Assign the Services to the New Server
Will get back to you with the Steps shortly
Mean time have a look at this KB below ,
http://support.microsoft.com/kb/940726Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 1:15pm
Hi Sathesh, I would rather stick with option 1. Please advise on how to change the mailflow to the new server and how to configure OWA to the new server.
I am relatively new with the exchange server environment, so my questions may be childish and may need a bit of spoon feeding.
How do I remove theroles from the old server & change it to the new server without having a downtime.
any links that will help me with this processes.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 2:25pm
Hi Satesh,
Again,please tell me if this will cause any changes in my existing enviroment.
Also, i need to ensure only the SMTP & POP3 services are assigned to the new server.OWA (https/https) needs to remain on the new server.
Also, do i need to assigne these services to server2.domain.local (the FQDN of the new server) or email.domain.com (the fqdn on the imported certificate). The result of the Get-ExchangeCertificate -Domainname for each of these are posted above.
Please help me
April 28th, 2012 2:38pm
Don't remove anything as of now Philip
First Install Exchange on the New server with our required roles
Then we will proceed further slowly without downtime.
------------------
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 2:47pm
Ok Sathesh, please advise,as I am doing custom installation of Exchange Server, i will install HT & Client Access Roles.Do I need to install the Exchange Mgmt console?
April 28th, 2012 3:06pm
Yes , HUB , CAS and MGMT Tools.
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 3:07pm
Hi Sathesh, I am waiting for your help mate. please advise
April 28th, 2012 3:17pm
Go Back to your Old Server - Server Configuration - Check what are the Services assigned
Come to your New HUB/CAS Server - Server Configuration - Right click on the Cert - Assign the Same Services
This won't affect your Production.
Will come back with the Next StepsSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 3:30pm
After Assigning the Services to the Cert
Apply the following kb Pointing to the new CAS server
Applying the kb will resolve the Certificate popup
http://support.microsoft.com/kb/940726
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 3:32pm
Hi Satesh,
I am very confused with this process.
Like I said I am very new to this so I need some really detailed explanation on how to do this.
When you say Server Manager, I understand you want me to look in the Server Configuration under Exchange Management Console.
How do I check the Services Assigned under Exchange Management Console in Exchange 2007.
Again how do i see the certificates under server configuration & right click on it to assign the same services?
From what I can see on my Exchange Management Console, I can see both my servers on the console under ServerConfiguration - Hub & Client Access.
Under Hub both the receive connectors are enabled.
Under client the owa is disabled.
Now Satesh, please help me
how do i check what services are enabled in the old server
and
how do i assign the same services to the certificate in the new server
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 4:22pm
Run Get-ExchangeCertificate -Server "OlderServer | fl
Check for Services in that
This should show what services assigned in the old server
let me know what services are assigned
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 4:26pm
Hi Satesh,
I tried to assign the services using Exchange Management Shell using the command
Enable-ExchangeCertificate -ThumbPrint "B61BB06A398BE31
FAA1C6958EBC1DEABB3022F8D" -Services "SMTP, IMAP, POP"
I get the below
Confirm
Overwrite existing default SMTP certificate,
'3DB4ECD1F43FC1457FE7A71402C863FA9BBBEFA6' (expires 31-Mar-13 10:46:53 AM),
with certificate 'B61BB06A398BE31FAA1C6958EBC1DEABB3022F8D' (expires 11-Jul-14
4:00:00 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
Please advise on my way forward.
Please help.
philip
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 4:43pm
Hi Sathesh,
The above KB is applicable only if we are using OWA on the new server or is it applicable to use in my current situation. Will this effect the production enviroment of users connecting to OWA or/and users connecting to exchange using outlook.
Do we need to apply this KB only on the new server or also on the old server.
please help.
April 28th, 2012 4:46pm
If your Thumbprint is correct Go aheadSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 4:49pm
We are not doing anything for External
We are applying this kb only to set things for your Internal Autodiscover
Do it only for Our New server
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 4:50pm
I ran the below on the new server,
Get-ExchangeCertificate -DomainName email.platcorp.com
Thumbprint Services Subject
---------- -------- -------
B61BB06A398BE31FAA1C6958EBC1DEABB3022F8D IP..S CN=email.platcorp.com, ...
I believe I have assigned the POP3, IMAP & SMTP services to the certificate on the new server.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 5:11pm
Please advise if I can apply this KB at a later stage.
Please advise on what are the further steps ahead & how do we go about this.
what all processes are left
April 28th, 2012 5:13pm
Hi Philip
We are almost done
we are on the later stage i guess
Applying the KB won't affect your Production
Just before that Click on Server Configuration - in your New Server - Click for OWA Default Web Site properties
Set your External URL as Similar from your Old Server
Do the Same For all the Tabs like Active Sync,OAB etc,.
Do we use OL anywhere ?Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 5:17pm
Again,
1. do we need to edit the OWA default web site properties on the new server when my actual scope is to let the OWA service (http/https) stay on the old server.
2. Outlook Anywhere Enabled, is "True" on the old server & "False" on the new server.
3. OWA(Default Website) is Enabled on the old server. OWA (Default Website) is Disabled on the new server.
4. The Internal URL for the OLD Server is
https://oldserver.domain.local/owa, the External URL is
https://email.domain.com/owa
5. I am presuming The Internal URL for the NEW Server is
https://oldserver.domain.local/owa, the External URL is
https://email.domain.com/owa, please correct me if I am wrong, Or must the Internal URL be
https://newserver.domain.local/owa and the External URL be
https://email.domain.com/owa
April 28th, 2012 5:27pm
hmmm Applying the KB will Fix only your Certificate Pop up philip
Nothing else will happen
Setting the External URL doesn't affect anything. if your old server crashes you can reroute everything to the new CAS easily on DR scenarios
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 5:58pm
Hi Philip ,
Sorry for the Delay,
That Popup is normal .
We can Proceed further .
Export the Exchange Certificate from the Old CAS and import to the New CAS now
Will get the steps for you soon
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 7:08pm
Am Terribly Sorry Philip
Little held up with work hereSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 7:09pm
Server Configuration - See Exchange Certificates in the bottom Part - Export the Exchange Certificate your using before - you will get some pfx file
Your using a 3rd party Cert right ?
Go to the New CAS and import the same . And Right click on the cert - assign the same servicesSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 7:14pm
Ok Satesh, I have added the external URL for all the services. I have left the internal URL as the default.
What next?
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 10:01pm
If you doesn't want to Change your OWA to the New Server,
This would be your last step.Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 10:07pm
hmmmm. yes i do not want to change owa to my new server as of now but yes at a later stage once I know the other services are working on the new server.
Is this my last step?
How do i make sure the hub & cas services on the new server are functional & have entered production?
Also, i havent removed these services from the old server.
my scope is to move the hub & client access services to the new server.
please advise.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 10:11pm
Once you moved your OWA to your New Server - Pubic Ip Nats to your New Server -- If your using any smart host - Then make appropriate changes
Then only the New Server will become Active fully.
Untill That it will be used just for internal Mailflow
----------------
And you should not decommission the old Server just like that
-------------
After moving everything - Closing outlook and reopening will recognize your New CAS server. By going into your Old server and Old server will tell where the new server is
if you decomission before that - outlook won't reopen , you got to re configure the profile
After moving everything you got to wait for some months or Make everyone to close and reopen outlook before you decomission
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 10:15pm
Hi Satesh,
Our scope is to only move the hub & cas services into the new server for internal mail flow. The old server will be used for Mailbox & OWA services.
Our main idea is to split the roles between 2 servers to ensure one server is not fully loaded with all the roles and the 2nd server (our new server) shares the load.
we will NEVER be decommisioning the old server.
my objective is to MOVE the hub & CAS services to the new server. Once the roles on the new services are activated, i need to disable this on the old server.
please help me on how to ensure the hub & client access roles are only running on the new server not on the old.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 10:25pm
You must understand onething
CAS Server handles Clientaccess - That cannot be shared
Now HUB is sharing your mailflow already. Cause it works like round robin,
You can't disable any services in your old server
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 10:48pm
Satesh,
Please help me understand what happens if I disable the HUB & CAS on the old server. will this affect my production.
as my objective is to ensure the HUB & CAS roles are no more on the old server
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 10:55pm
=============================================================================
Hi Satesh,
Our scope is to only move the hub & cas services into the new server for internal mail flow. The old server will be used for Mailbox & OWA services.
Our main idea is to split the roles between 2 servers to ensure one server is not fully loaded with all the roles and the 2nd server (our new server) shares the load.
we will NEVER be decommisioning the old server.
my objective is to MOVE the hub & CAS services to the new server. Once the roles on the new services are activated, i need to disable this on the old server.
please help me on how to ensure the hub & client access roles are only running on the new server not on the old.
==============================================================================
Satesh,
Please help me understand what happens if I disable the HUB & CAS on the old server. will this affect my production.
as my objective is to ensure the HUB & CAS roles are no more on the old server
==============================================================================
PLEASE MAKE ME UNDERSTAND - WHAT YOUR COMING TO SAY Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
April 28th, 2012 11:04pm
so does this mean my new server is already in production?
is the below scenario possible or acheivable in my environment
i need to move the hub & cas to the new server & then remove it from the old server.if i did this, how will it effect my production.
how do i enable OWA on the new server, as i need to do this in the near future.
lastly, i need to ensure that all client access is through my new server.
you have mentioned "CAS Server handles Clientaccess - That cannot be shared" - does this mean, the CAS can only be one one server, either the old or the new? it cannot be between the 2? am i correct?
In my current scenario, are u sure that all SMPTP & POP3 access is now only through my new server? I do not want Client access through my old server.
I hope you are getting what I am trying to communicate.
simply put it, why is that i cannot have the CAS & HUB on one server & the MAilbox on another server?
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 11:06pm
Seems like you are irritated. I am very sorry. I am just trying to ensure everything is seamlessly done.
My objective in this excercise is to ensure we move the CAS & HUB roles to the new server. My understanding during this excercise was to setup the 2 roles on the new server, import certificate, assign the services, and remove the roles from the old server.
With our excercise, we have done all of this except, removing the roles from the old server.
What happens if we remove the roles from theold server?
is the new server & the HUB & CAS roles in it, already in production?
how do i make sure the HUB & CAS roles on the new server are fully in production & working? if they are fully functional why cannot these roles be disabled on the old server?
or to be precise, does these roles need to run on both the servers to ensure communication between the old & new server? cause my scope was only to create a front end server with CAS & HUB, leaving the old server as backend with the mailbox services.
hope i am clear in my communication
April 28th, 2012 11:15pm
Now Everything is Done
One Last thing is You got to Activate your New Server where all your Firewall will be pointing to your old Server
and you got to change it to your new server then Only the New Server will be Completely Active.
You need some Guidance For that
That cannot be provided in chat
Please open up a Ticket with Microsoft and get the last part done
1-800-936-4900Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 11:20pm
Hi Satesh,
Thanks for the response mate.
Just a quick one before I import-export the certificates, will this effect my current scenario. the reason i am asking this is to ensure all 4000+ users will not have any impact/downtime at the sametime the move will be seamless.
also, what are the next steps involved.
Thank You & Kind Regards
Philip
April 29th, 2012 12:25am
Well done Sathesh. Thank you so much. Explained a lot.Kottees : My Blog : Please mark it as an answer if it really helps you.
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2012 3:16am
Hi Sathesh, I installed all of the above.
All of a sudden a certificate security window popped up for all users using Outlook 2007/Outlook 2010. Is this normal? I hope I havent made any AD wide changes by just making the installation.
Please advise, if the Certificate window that popped is normal? Hope it doesnt effect the existing setup?
Also, please advise whats next?
Can I update the exchange as its showing one important update.
Awaiting your prompt response & advise.
Thank You & Kind Regards
Philip
April 29th, 2012 3:18am
We a re currently on MS Exchange 2007 SP1 on Windows 2008 Enterprise SP2.
The Hub Transport, Client Access & Mailbox roles are all in one server box. I understand this is not ideal. We are to move the Hub Transport Role & The Client Access Role to a new server.
Please help me on the process to do this without having to face any major downtime.
Currently we have setup a new server with Windows 2008 Enterprise SP2. DO we need to install MS EXchange 2007 with SP1 on this server? Taking it further, how do I move the exisiting Hub Transport Rule & Client Access Role to this new server.
Please advise.
Thank You & Kind Regards
Philip
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2012 4:16am
Hi Satesh,
1. I am using Exchange 2007. I cant see the certificate import export option in the exchange management console. I understand we must use the exchange cmdlet for this. please advise.
2. Please advise on how to enable the services on this certificates after importing them to the new server.
3. i need to enable the POP3, SMTP services on the new server but keep the HTTP/HTTPS on the old server, meaning we want to keep the OWA on the old server.
4. how to enable mailflow?
we need to ensure all of the above is done without any downtime or effecting any of our users in various time zones.
5. Can i proceed with all the updates on the new server with regards to exchange 2007.
April 29th, 2012 6:55am