1. I exported the certificate using mmc & while importing this to the new server found the certificate already existed in the personal-certificate directory. However, I completed the import process &igot thepop-up window saying import successful.
2. i ran the Get-ExchangeCertificate -DomainName server2.domain.local (which is the FQDN of the new server). I got the result as

Thumbprint Services Subject
---------- -------- -------
3DB4ECD1F43FC1457FE7A71402C863FA9BBBEFA6 IP.WS CN=SERVER2
However, i ran Get-ExchangeCertificate -DomainName email.domain.com (which is the FQDN on the imported certificate). I got the result as

Thumbprint Services Subject
---------- -------- -------
B61BB06A398BE31FAA1C6958EBC1DEABB3022F8D ..... CN=email.domain.com, ...
Please advise, if i need to enable the services (POP3 & SMTP) on the email.domain.com?
Again, I need to keep OWA on the old server as of now along with the http/https services.
Please advise on whats next & how to complete this excercise.
--------------------------------------------------------------------------------------------------------------
Now after installing the hub & CAS services on the new server, some Outlook 2007 users are complaining of getting a pop-up

Microsoft Office Outlook
There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site.
Please advise if this is related to our excercise and how we can resolve this asap.
----------------------------------------------------------------------------------------------------------------
May I go ahead the update the new server for the current updates
-------------------------------------------------------------------------------------------------------------------
Our current scenario is
Edge Services - Mcafee Gateway Appliance
Hub, CAS, Mailbox, OWA - Exchange Server
All MX records are pointing to the Mcafee Email Security Gateway Appliance

We are currently changing our scenario such that we are removing the Mcafee Gateway Appliance & replacing the Mcafee Gateway Client with Symantec Email Cloud Security. Our MX records will point to the Symantec Email Cloud
We are moving the Hub & CAS services (POP3 + SMTP) to a new front end server
The existing exchange server will run the Mailbox Services & OWA.
Now as we complete our excercise, my network team will map the public ip of our mcafee email gateway (which is deactivated) to the local IP of the new server.
My task is to ensure the mail flow is enabled & activated between the 2 servers & then I must point the MX records to the symantec cloud.
Please advise on how i can complete my task without any downtime & at the earliest.

-------------------------------------------------------------------------------------------------------------------------------------

There is an amazing pack of free network admin tools. click here to download it

Hi Philip,
You cannot move the roles as like fsmo roles.. you have to install Exchange 2007 (HUB & CAS) roles on new server and have to remove from existing server.. Kottees : My Blog : Please mark it as an answer if it really helps you.

Need to support users over the internet? click here try our remote control online beta

Option 1 ,
Get a HUB and Client access role installed on the new server and
Change your mailflow to that Server and Configure OWA to the new server
No Downtime

Option 2 :
Needs downtime ,
Turn off the server gracefully
Ujoin from the domain , Reset the comp account in AD
----
Bring the new server with same name , same ip
Do Setup.com /recoverserverSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Hi Sathesh,
why we need to unjoin the server from domain... we can remove HUB/CAS roles using Exchange Maintenance Mode

http://technet.microsoft.com/en-us/library/bb124115(v=exchg.80).aspxKottees
: My Blog : Please mark it as an answer if it really helps you.

There is an amazing pack of free network admin tools. click here to download it

Hi Kotees,
Removing the Server in Exchange Maintanance mode will remove the Server from Active Directory
Then
Recover Server wouldn't be possible
----------------

Recoverserver needs an Object in Active Directory. This the Process we do in Disaster Recovery .
But we can do it in our Scenario as wellSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

yeah thanks for the info. Modifying can be tried right.. pls see here

http://technet.microsoft.com/en-us/library/bb124273(v=exchg.80).aspx

Kottees : My Blog : Please mark it as an answer if it really helps you.

Need to support users over the internet? click here try our remote control online beta

Assign the Services to the New Server
Will get back to you with the Steps shortly
Mean time have a look at this KB below ,

http://support.microsoft.com/kb/940726Satheshwaran
Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Hi Sathesh, I would rather stick with option 1. Please advise on how to change the mailflow to the new server and how to configure OWA to the new server.

I am relatively new with the exchange server environment, so my questions may be childish and may need a bit of spoon feeding.

How do I remove theroles from the old server & change it to the new server without having a downtime.

any links that will help me with this processes.

Need to support users over the internet? click here try our remote control online beta

Hi Satesh,

Again,please tell me if this will cause any changes in my existing enviroment.

Also, i need to ensure only the SMTP & POP3 services are assigned to the new server.OWA (https/https) needs to remain on the new server.

Also, do i need to assigne these services to server2.domain.local (the FQDN of the new server) or email.domain.com (the fqdn on the imported certificate). The result of the Get-ExchangeCertificate -Domainname for each of these are posted above.

Please help me

There is an amazing pack of free network admin tools. click here to download it

Don't remove anything as of now Philip
First Install Exchange on the New server with our required roles
Then we will proceed further slowly without downtime.
------------------
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

Ok Sathesh, please advise,as I am doing custom installation of Exchange Server, i will install HT & Client Access Roles.Do I need to install the Exchange Mgmt console?

Need to support users over the internet? click here try our remote control online beta

Yes , HUB , CAS and MGMT Tools.
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

Hi Sathesh, I am waiting for your help mate. please advise

Need to support users over the internet? click here try our remote control online beta

Go Back to your Old Server - Server Configuration - Check what are the Services assigned
Come to your New HUB/CAS Server - Server Configuration - Right click on the Cert - Assign the Same Services
This won't affect your Production.
Will come back with the Next StepsSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

After Assigning the Services to the Cert
Apply the following kb Pointing to the new CAS server
Applying the kb will resolve the Certificate popup

http://support.microsoft.com/kb/940726


Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Hi Satesh,

I am very confused with this process.
Like I said I am very new to this so I need some really detailed explanation on how to do this.
When you say Server Manager, I understand you want me to look in the Server Configuration under Exchange Management Console.
How do I check the Services Assigned under Exchange Management Console in Exchange 2007.
Again how do i see the certificates under server configuration & right click on it to assign the same services?
From what I can see on my Exchange Management Console, I can see both my servers on the console under ServerConfiguration - Hub & Client Access.
Under Hub both the receive connectors are enabled.
Under client the owa is disabled.

Now Satesh, please help me
how do i check what services are enabled in the old server
and
how do i assign the same services to the certificate in the new server

There is an amazing pack of free network admin tools. click here to download it

Run Get-ExchangeCertificate -Server "OlderServer | fl
Check for Services in that
This should show what services assigned in the old server
let me know what services are assigned

Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Hi Satesh,
I tried to assign the services using Exchange Management Shell using the command
Enable-ExchangeCertificate -ThumbPrint "B61BB06A398BE31
FAA1C6958EBC1DEABB3022F8D" -Services "SMTP, IMAP, POP"
I get the below
Confirm
Overwrite existing default SMTP certificate,
'3DB4ECD1F43FC1457FE7A71402C863FA9BBBEFA6' (expires 31-Mar-13 10:46:53 AM),
with certificate 'B61BB06A398BE31FAA1C6958EBC1DEABB3022F8D' (expires 11-Jul-14
4:00:00 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
Please advise on my way forward.
Please help.
philip

Need to support users over the internet? click here try our remote control online beta

Hi Sathesh,

The above KB is applicable only if we are using OWA on the new server or is it applicable to use in my current situation. Will this effect the production enviroment of users connecting to OWA or/and users connecting to exchange using outlook.
Do we need to apply this KB only on the new server or also on the old server.

please help.

Need to support users over the internet? click here try our remote control online beta

If your Thumbprint is correct Go aheadSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

We are not doing anything for External
We are applying this kb only to set things for your Internal Autodiscover
Do it only for Our New server


Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

I ran the below on the new server,
Get-ExchangeCertificate -DomainName email.platcorp.com
Thumbprint Services Subject
---------- -------- -------
B61BB06A398BE31FAA1C6958EBC1DEABB3022F8D IP..S CN=email.platcorp.com, ...

I believe I have assigned the POP3, IMAP & SMTP services to the certificate on the new server.

Need to support users over the internet? click here try our remote control online beta

Please advise if I can apply this KB at a later stage.
Please advise on what are the further steps ahead & how do we go about this.
what all processes are left

Need to support users over the internet? click here try our remote control online beta

Hi Philip
We are almost done
we are on the later stage i guess
Applying the KB won't affect your Production
Just before that Click on Server Configuration - in your New Server - Click for OWA Default Web Site properties

Set your External URL as Similar from your Old Server
Do the Same For all the Tabs like Active Sync,OAB etc,.
Do we use OL anywhere ?Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Again,

1. do we need to edit the OWA default web site properties on the new server when my actual scope is to let the OWA service (http/https) stay on the old server.

2. Outlook Anywhere Enabled, is "True" on the old server & "False" on the new server.
3. OWA(Default Website) is Enabled on the old server. OWA (Default Website) is Disabled on the new server.
4. The Internal URL for the OLD Server is

https://oldserver.domain.local/owa
, the External URL is

https://email.domain.com/owa

5. I am presuming The Internal URL for the NEW Server is

https://oldserver.domain.local/owa
, the External URL is

https://email.domain.com/owa
, please correct me if I am wrong, Or must the Internal URL be

https://newserver.domain.local/owa
and the External URL be

https://email.domain.com/owa


There is an amazing pack of free network admin tools. click here to download it

hmmm Applying the KB will Fix only your Certificate Pop up philip
Nothing else will happen
Setting the External URL doesn't affect anything. if your old server crashes you can reroute everything to the new CAS easily on DR scenarios


Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Hi Philip ,

Sorry for the Delay,
That Popup is normal .
We can Proceed further .
Export the Exchange Certificate from the Old CAS and import to the New CAS now

Will get the steps for you soon
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Am Terribly Sorry Philip
Little held up with work hereSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

Server Configuration - See Exchange Certificates in the bottom Part - Export the Exchange Certificate your using before - you will get some pfx file
Your using a 3rd party Cert right ?
Go to the New CAS and import the same . And Right click on the cert - assign the same servicesSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Ok Satesh, I have added the external URL for all the services. I have left the internal URL as the default.
What next?

Need to support users over the internet? click here try our remote control online beta

If you doesn't want to Change your OWA to the New Server,
This would be your last step.Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

hmmmm. yes i do not want to change owa to my new server as of now but yes at a later stage once I know the other services are working on the new server.
Is this my last step?
How do i make sure the hub & cas services on the new server are functional & have entered production?
Also, i havent removed these services from the old server.
my scope is to move the hub & client access services to the new server.
please advise.

Need to support users over the internet? click here try our remote control online beta

Once you moved your OWA to your New Server - Pubic Ip Nats to your New Server -- If your using any smart host - Then make appropriate changes
Then only the New Server will become Active fully.
Untill That it will be used just for internal Mailflow
----------------
And you should not decommission the old Server just like that
-------------
After moving everything - Closing outlook and reopening will recognize your New CAS server. By going into your Old server and Old server will tell where the new server is

if you decomission before that - outlook won't reopen , you got to re configure the profile
After moving everything you got to wait for some months or Make everyone to close and reopen outlook before you decomission

Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Hi Satesh,
Our scope is to only move the hub & cas services into the new server for internal mail flow. The old server will be used for Mailbox & OWA services.
Our main idea is to split the roles between 2 servers to ensure one server is not fully loaded with all the roles and the 2nd server (our new server) shares the load.
we will NEVER be decommisioning the old server.
my objective is to MOVE the hub & CAS services to the new server. Once the roles on the new services are activated, i need to disable this on the old server.
please help me on how to ensure the hub & client access roles are only running on the new server not on the old.

Need to support users over the internet? click here try our remote control online beta

You must understand onething
CAS Server handles Clientaccess - That cannot be shared
Now HUB is sharing your mailflow already. Cause it works like round robin,
You can't disable any services in your old server
Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

Need to support users over the internet? click here try our remote control online beta

Satesh,
Please help me understand what happens if I disable the HUB & CAS on the old server. will this affect my production.
as my objective is to ensure the HUB & CAS roles are no more on the old server

There is an amazing pack of free network admin tools. click here to download it

=============================================================================
Hi Satesh,
Our scope is to only move the hub & cas services into the new server for internal mail flow. The old server will be used for Mailbox & OWA services.
Our main idea is to split the roles between 2 servers to ensure one server is not fully loaded with all the roles and the 2nd server (our new server) shares the load.
we will NEVER be decommisioning the old server.
my objective is to MOVE the hub & CAS services to the new server. Once the roles on the new services are activated, i need to disable this on the old server.
please help me on how to ensure the hub & client access roles are only running on the new server not on the old.
==============================================================================

Satesh,
Please help me understand what happens if I disable the HUB & CAS on the old server. will this affect my production.
as my objective is to ensure the HUB & CAS roles are no more on the old server
==============================================================================
PLEASE MAKE ME UNDERSTAND - WHAT YOUR COMING TO SAY Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

so does this mean my new server is already in production?
is the below scenario possible or acheivable in my environment
i need to move the hub & cas to the new server & then remove it from the old server.if i did this, how will it effect my production.
how do i enable OWA on the new server, as i need to do this in the near future.
lastly, i need to ensure that all client access is through my new server.
you have mentioned "CAS Server handles Clientaccess - That cannot be shared" - does this mean, the CAS can only be one one server, either the old or the new? it cannot be between the 2? am i correct?
In my current scenario, are u sure that all SMPTP & POP3 access is now only through my new server? I do not want Client access through my old server.
I hope you are getting what I am trying to communicate.
simply put it, why is that i cannot have the CAS & HUB on one server & the MAilbox on another server?

There is an amazing pack of free network admin tools. click here to download it

Seems like you are irritated. I am very sorry. I am just trying to ensure everything is seamlessly done.
My objective in this excercise is to ensure we move the CAS & HUB roles to the new server. My understanding during this excercise was to setup the 2 roles on the new server, import certificate, assign the services, and remove the roles from the old server.
With our excercise, we have done all of this except, removing the roles from the old server.
What happens if we remove the roles from theold server?
is the new server & the HUB & CAS roles in it, already in production?
how do i make sure the HUB & CAS roles on the new server are fully in production & working? if they are fully functional why cannot these roles be disabled on the old server?
or to be precise, does these roles need to run on both the servers to ensure communication between the old & new server? cause my scope was only to create a front end server with CAS & HUB, leaving the old server as backend with the mailbox services.
hope i am clear in my communication

Need to support users over the internet? click here try our remote control online beta

Now Everything is Done
One Last thing is You got to Activate your New Server where all your Firewall will be pointing to your old Server
and you got to change it to your new server then Only the New Server will be Completely Active.
You need some Guidance For that
That cannot be provided in chat
Please open up a Ticket with Microsoft and get the last part done
1-800-936-4900Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:
http://www.careexchange.in
| Please mark it as an answer if it really helps you

There is an amazing pack of free network admin tools. click here to download it

Hi Satesh,
Thanks for the response mate.
Just a quick one before I import-export the certificates, will this effect my current scenario. the reason i am asking this is to ensure all 4000+ users will not have any impact/downtime at the sametime the move will be seamless.
also, what are the next steps involved.
Thank You & Kind Regards
Philip

Need to support users over the internet? click here try our remote control online beta

Well done Sathesh. Thank you so much. Explained a lot.Kottees : My Blog : Please mark it as an answer if it really helps you.

There is an amazing pack of free network admin tools. click here to download it

Hi Sathesh, I installed all of the above.
All of a sudden a certificate security window popped up for all users using Outlook 2007/Outlook 2010. Is this normal? I hope I havent made any AD wide changes by just making the installation.

Please advise, if the Certificate window that popped is normal? Hope it doesnt effect the existing setup?

Also, please advise whats next?
Can I update the exchange as its showing one important update.
Awaiting your prompt response & advise.
Thank You & Kind Regards
Philip

There is an amazing pack of free network admin tools. click here to download it

We a re currently on MS Exchange 2007 SP1 on Windows 2008 Enterprise SP2.
The Hub Transport, Client Access & Mailbox roles are all in one server box. I understand this is not ideal. We are to move the Hub Transport Role & The Client Access Role to a new server.
Please help me on the process to do this without having to face any major downtime.
Currently we have setup a new server with Windows 2008 Enterprise SP2. DO we need to install MS EXchange 2007 with SP1 on this server? Taking it further, how do I move the exisiting Hub Transport Rule & Client Access Role to this new server.
Please advise.
Thank You & Kind Regards
Philip

Need to support users over the internet? click here try our remote control online beta

Hi Satesh,
1. I am using Exchange 2007. I cant see the certificate import export option in the exchange management console. I understand we must use the exchange cmdlet for this. please advise.
2. Please advise on how to enable the services on this certificates after importing them to the new server.
3. i need to enable the POP3, SMTP services on the new server but keep the HTTP/HTTPS on the old server, meaning we want to keep the OWA on the old server.
4. how to enable mailflow?
we need to ensure all of the above is done without any downtime or effecting any of our users in various time zones.
5. Can i proceed with all the updates on the new server with regards to exchange 2007.

There is an amazing pack of free network admin tools. click here to download it