Hi Tony, Yes, you can use owa.company.com as the FQDN as long as you’re using split DNS. This means you have DNS servers for your internet clients and DNS for your intranet clients.
Scott, first of all I wanted to say that you are god sent. I’m in the process of moving a bunch of 2003 roles to 2008 R2 and CA had me puzzled more than anything else. I’ve read a ton of documents about it and yours is by far the best… However, like others, I also have some concerns about the new server name being different from the old one. According to this Microsoft document, http://technet.microsoft.com/en-us/library/ee126140(WS.10,printer).aspx, we should change the new server name to the old one before installing CA, or we’ll run into some complications. Do you think, we’ll be perfectly safe if we use a different hostname, but keep the CA name the same?
Yes, the MS Document is correct in that you need to have the same computer name as the retired server. You may have complications if you change the name of the new server where the CA is to reside. Granted I have never tried to move the CA to a system with a different name so I can’t honestly say what would happen.
Is it possible to set up a CAS array with the CAS servers residing in different subnets? We have a failover site and want to have one CAS server there and one in production.
Don, this would depend on how your AD sites and services are configured along with what you are using for Load Balacing. If you have a spanned AD site and the NLB device can support multiple subnets I don’t see a problem HOWEVER you will have a single point of entry for your VIP (may be able to configure multiple VIPs but I have never tried). So for redundancy yes, but if you were to have a site failure in the IP where the Virtual Name (Casarray) is accessed you would not be able to access the CASArray. In this situation you could use Outlook anywhere and slow link detection.
I’ve disabled EFS via group policy and the only other certificates issued are:
CA Exchange
Domain Controller
Computer
User
Web Server (we use external CA purchased certificates for our websites)
Would you recommend this action? What would the the sequence of steps to do this?
We’re looking to either migrate (2003 –> 2008 R2) or just completely recreate our internal CA structure.
We have standalone CA for our Unity and IAS (wireless RADIUS).
The only things we used our Root CA for are (from issued certificates)
CA Exchange
Domain Controller
Basic EFS (I’ve disallowed EFS encryption via GPO)
EFS Recovery Agent
Computer
User
Web Server (We have external CA issued certificates for our websites anyway)
Our 2003 Root CA expires 9/6/2010 so at this point I’d almost just prefer to retire the 2003 CA and build a 2008 R2 Root CA.
However, I cannot shutdown and remove our existing 2003 Root CA as it also is our backed Exchange Server.
Whoops, sorry for the duplication, I though my reply was lost when I revisited this page I didn’t see my comment anymore. Then I submitted the comment again and then my original reply appeared. Again, sorry for the duplication.
If you revoke and remove a CA all existing certificates will not work. It would be hard to comment since I’m not too familar with your environment.
You do have some options though, remove all the existing certs and deploy a new CA, redeploy Certs.
The other option would be to move Exchange to a new server and then move the CA to a new server.
Depending on how integrated your CA is in your environment moving Exchange to a new server (pefect time for an upgrade) may be your best bet and simply the effort.
Scott we have a 4 member WNLB CAS array and a 3 member DAG. The issue is everytime we try to connect via Outlook 2010 we still don’t get access (it fails on the log to server aspect of the Outlook profile). The CAS servers all work fine when not members of the array. We have set all the specific ports up on the WNLB for MAPI and created a DNS A record for the array. We’ve also created the array by using the New-ClientAccessArray switch and assigned the array to each database in the DAG by using the Set-MailboxDatabase -RpcClientAccessServer switch but still no connectivity. Any ideas ?
Did the mailboxes exist in the database before the Array was setup? Once thing to keep in mind that there are a number of ports that the CAS will use to contact the mailbox server via RPC. What ports are you allowing through? RPC Ports can range from 1065 – 65000 (or close to that). In some instances you will need to open up all the ports for the connection to occur correctly.
When you go to an outlook profile and check the mailbox configuration for the account what is it pointing to for Exchange Server?
It seems that profile redirection, while original CAS is alive, is fixed and works in OL2007 SP2. At least my test showed it. Don’t know does it works in OL 2010 RTM though…
Just to comment, we’ve just tested on our environment, the move of an enterprise root CA, from a 2k3 server to a 2k8 R2 server (with DIFFERENT NAMES) and it just works!!!
We’ve just changed a line on the registry that directed the CA Server name to the old one.
we didn’t noticed any problem on the certificate emission, or certificate renewall… It was all on the fly.
In addition I would like to thank you very much for this post. It was very, very helpfull to us!!!
Wanted to add my thanks to the chorus. Have just performed the AD upgrade (with one DC left) from 2003 R2 to 2008 R2 and all went well with the CA upgrade.
Ours was also of the x32 to x64 flavour so I don’t quite know why the MS doco says otherwise.
Cheers for helping me out on the one part of the upgrade I was particularly scared of.
Hi Frank,
I’m going to say yes, with a HW load balancer you should be able to load balance the SMTP inbound traffic. Keep in mind however that this is only four inbound SMTP traffic from the internet or a relay. Internal Exchange communciation should continue to use the IP address of the actual Exchange Server.
NLB can be used to provide high availability in the following scenarios:
Load balancing of inbound SMTP connections for POP and IMAP client connections to the default Receive connector named “Client ” that is created only on Hub Transport servers.
–Load balancing of inbound SMTP connections for applications that submit e-mail to the Exchange organization.
–NLB should not be used to distribute connections for internal routing between Hub Transport servers.
I was wondering about this. The funny thing I was just having a conversation with a client and he asked me the same question. The MS Doc says you can’t do it but after my conversation with the client I recalled doing the exact same thing about three years ago. Granted this was a 2003 to 2003 but it worked with a different server name.
Would you mind sharing which registry key you tweaked?
We have an issue where we are intermittently losing connection to our casarray. It connects and users are working fine at first, then it freezes up and users can’t get back in. It all works fine when setting the RPCClientAccessServer to a specific CAS server, but we get this issue with our CAS array. Our CAS servers are all virtual and were running it in Multicast. We think this is network /ARP related. Anyone have any ideas ? We’ve already disabled RPCEncryption
In the article it says ” In the event of an outage the Outlook client will lose connectivity to the Exchange Mailbox Server and will not be able to fail over to another CAS in the Active Directory Site since it has already established a connection to a CAS which is now down. How does the Outlook client find the CAS?”
If that is the case, if i close out of Outlook and reopen outlook, will my client pick up the other CAS server and connect to it?
I migrated one Certificate Authority server to 2008 R2 and I did change the hostname to something different (not the CA name, just the computer name). It’s been over a month since I did it and we’ve had no issues. It wasn’t easy though. I was working on it till 5 in the morning with Microsoft on the phone because the new service wouldn’t start after the restore. We ended up following this document to complete the process: http://support.microsoft.com/default.aspx?scid=kb;EN-US;969302
In addition to Scott’s guide, I followed this document to complete the migration. It’s very long, but explains every step, including the registry tweaks and modifications to change the hostname: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
Now, I’m about to migrate the CA on 5 more servers. If I come across any pitfalls, I’ll let you guys know.
I tried this way but after I disabled archiving for that user, there was no archive mailbox in disconnected mailbox under recepient configuration. Not even after that command “clean..”
So I restored mail from pst backup of archive folder that I made before.
Pity Microsoft didnt make this better. If they made archive authomatic, they should made authomatic the other way around.
Hi Scott,
Thank you for this great article…
I have a windows 2003 domain and about to introduce the first Windows 2008 DC.
I need to move the CA from a win2003 DC.
I understand how to backup and restore the DB etc. however too many articles to read left me unsure.
All i want is to transfer the CA role to a new Windows 2008 With a different HOST name…
Is this possible? or do i need to move it to another win 2003 server and do the OS upgrade later?
Tietze up above moved his CA to a new host name without any problem. A few years back I did the exact same thing from a 2003 to a 2003 so it can work. The CA name will remain the same but it looks like you can change the Host Name.
Typically though what you would do if you wanted to preserve the host name would be to backup the CA, remove the CA, decomossion the server and either rename the server or take it off line. Then build a new server (or change the name of one existing) to the previous host name.
Hi, I was wondering if the process was the same or similar for moving it over to another W2k3 box. Right now I have to move the subordinate because I have hardware failing but at some point the Root will need to go as well. I don’t intend to upgrade to 2008 yet. We are discussing this and you can see more details at:
Franky, Yes, the process is pretty similar. The screen shots will be different but you will still want to backup the CA and Database with the Certificate, decomission the server, build a new one with the same name and restore the CA. It’s been a few years since doing a 2003 to a 2003 but the process shouldn’t be too much different other than the way you deploy CA in 2003 i.e. Control panel, Add/Remove Programs, Add Windows componets.
Franky, The clients will keep working however, new certificate requests will not be permitted. Keep in mind the CA is trusted and the certificate is trusted. As long as the certificates are not revoked you are fine.
What happens in the scenario where I want to set a database to a different CAS – but Outlook doesn’t change the profile automatically? So say I have all my users pointing to a CAS Array – then I decide to failover to Site B (DR Site). I update the RPCClientAccessServer for the databases to the new CAS Server (or Array) – but since the original CAS Array is not reachable the Outlook profiles never seem to switch over to the new CAS Array. If the original CAS Server/Array is available then it does redirection, but when not available it seems to break Outlook. I’m testing this for this scenerio:
Site A – active Datacenter
Site B – DR Datacenter (no active users, mailboxes, CAS Servers)
Site A fails and I want to manually switchover to Site B. I switchover the databases and update the RPCClientAccessServer for the databases. So users will be connecting to Site B, but their existing Outlook profiles never switch over to the new CAS Server/Array – they just hang trying to connect to the original. If I recreate the Outlook profile it works just great. Now, one option would be to change the DNS record of the CAS Array. I’m sure that would work fine, but what if I want to keep one database alive in Site A – in a case where only network connectivity TO Site A is down – but all my local servers/users are up? My plan is to have a separate CAS Server in Site A that I point my local users’ database to – and switchover everything else to Site B. I would have thought AutoDiscover would check to see the SCP and point my profile to the new CAS Server. What would I be missing here?
“Finally, rename the old server or permanently disconnect it from the network.” Is this absolutely necassary? My current 2003 R2 CA hosts a couple of other functions, it would be tricky to rename and not ready to remove it all together! (It is also intranet web server and file server!)
Just wondering if it is a ‘good practice’ to do vs ‘must be renamed/removed for migration to work’.
Mark, You could try to rename the new CA to something different as Tietze did. It is recommended to rename or disconnect the system. Typically you want a CA on a stand alone system to prevent anything like your situation from occuring.
When a user connects to a CAS array they are basically connecting to a CAS in the AD site where their database tells them to connect. The CAS will then perform a lookup to determine which server their database is located on. In the event that the database is on another server in another site a redirect will occur where the system will connect them to the CAS in the site where their mailbox resides.
Scott, yes this is a very interesting scenario. What you mentioned does appear to work very well. What I’m struggling with is when I want to stop using the CAS Array and point a single database towards a dedicated CAS Server – since in the case where a Datacenter is still up, but not reachable. So, what I’m seeing in my testing now is that Outlook (2010) WILL finally see that the user’s database is on a different CAS server and change the profile – but it takes 10-15 minutes – and hasn’t happened every single time. What appears to be happening is Outlook keeps trying the CAS Array – which isn’t available – so no redirect can happen. It keep retrying a certain amount of times and then decides to do an AutoDiscover to repair the profile. Now, if I were to change the RPCClientAccessServer value and either recreate the Outlook profile or do a Repair – it works immediately. The main issue here seems to be if the original CAS server is not available Outlook SHOULD AutoDiscover, look up the SCP value for the CAS Server and reconfigure – but it’s not consistently doing that – and when it does it takes awhile. This is a situation that is rare, I agree, but something that I’m trying to accommodate. I could just dedicate that database to one CAS Server, but I’d be losing the advantage of a CAS Array. Trying to have my cake and eat it too I found one TechNet article that said Outlook should do a Re-Autodiscover upon boot up – but it doesn’t appear to. If it would timeout after 5 minutes and then do a Re-Autodiscover I’d be happy with that – but I can’t find any literature on what the retry/timeout period is
Hmm, good question. I’m not sure. If you have a seperate DNS environment the next question I would ask is your DAG configuration, and then also your Active Directory configuration.
Do you have a single AD Domain? how many AD Sites? Also, DNS is it totally isolated? What about users and OWA access? What if a user in Site A is visiting in Site B?
I wouldn’t recommend it but I don’t see why it couldn’t be done if you’re isolated…
[...] [...]
Cool! Requiring 3 servers to use a neat feature like this was a real limitation. Glad to see it’s been lifted!
Hi James,
There was not a step neccessary for modifying the registry. Importing the Registry key taken from the original CA is all that is necessary.
Hi Tony, Yes, you can use owa.company.com as the FQDN as long as you’re using split DNS. This means you have DNS servers for your internet clients and DNS for your intranet clients.
[...] [...]
[...] [...]
Scott, first of all I wanted to say that you are god sent. I’m in the process of moving a bunch of 2003 roles to 2008 R2 and CA had me puzzled more than anything else. I’ve read a ton of documents about it and yours is by far the best… However, like others, I also have some concerns about the new server name being different from the old one. According to this Microsoft document, http://technet.microsoft.com/en-us/library/ee126140(WS.10,printer).aspx, we should change the new server name to the old one before installing CA, or we’ll run into some complications. Do you think, we’ll be perfectly safe if we use a different hostname, but keep the CA name the same?
Hi Amir,
Yes, the MS Document is correct in that you need to have the same computer name as the retired server. You may have complications if you change the name of the new server where the CA is to reside. Granted I have never tried to move the CA to a system with a different name so I can’t honestly say what would happen.
[...] For more info on a CASArray see my previous post Exchange 2010 Client Access Server Array (CAS Array). [...]
Is it possible to set up a CAS array with the CAS servers residing in different subnets? We have a failover site and want to have one CAS server there and one in production.
Thanks!
Don, this would depend on how your AD sites and services are configured along with what you are using for Load Balacing. If you have a spanned AD site and the NLB device can support multiple subnets I don’t see a problem HOWEVER you will have a single point of entry for your VIP (may be able to configure multiple VIPs but I have never tried). So for redundancy yes, but if you were to have a site failure in the IP where the Virtual Name (Casarray) is accessed you would not be able to access the CASArray. In this situation you could use Outlook anywhere and slow link detection.
Our 2003 root CA expires in a couple of months anyway and we don’t use much with CA.
We have new 2008 R2 server which we want to make our new CA (which already have AD and DNS role installed)
I can’t demote and turn off the existing 2003 CA as it hosts other services (Exchange).
I’d rather just scrap the old CA infrastructure and create a new one.
I’ve looked at revoking and decommissioning info here: http://support.microsoft.com/kb/889250
I’ve disabled EFS via group policy and the only other certificates issued are:
CA Exchange
Domain Controller
Computer
User
Web Server (we use external CA purchased certificates for our websites)
Would you recommend this action? What would the the sequence of steps to do this?
Let me expand on the details.
We use Unity, but it looks like one of our Unity servers acts as a Standalone Certificate authority.
We use certificates for IAS, but again they are served by a different server which acts as a Standalone CA.
We use externally purchased certificates for our websites.
So maybe the better question is, do we even need to run a Root CA?
Scott,
We’re looking to either migrate (2003 –> 2008 R2) or just completely recreate our internal CA structure.
We have standalone CA for our Unity and IAS (wireless RADIUS).
The only things we used our Root CA for are (from issued certificates)
CA Exchange
Domain Controller
Basic EFS (I’ve disallowed EFS encryption via GPO)
EFS Recovery Agent
Computer
User
Web Server (We have external CA issued certificates for our websites anyway)
Our 2003 Root CA expires 9/6/2010 so at this point I’d almost just prefer to retire the 2003 CA and build a 2008 R2 Root CA.
However, I cannot shutdown and remove our existing 2003 Root CA as it also is our backed Exchange Server.
I’ve been reading this: http://support.microsoft.com/kb/889250
But I wanted some additional advice about the transition and things to watch out for.
Whoops, sorry for the duplication, I though my reply was lost when I revisited this page I didn’t see my comment anymore. Then I submitted the comment again and then my original reply appeared. Again, sorry for the duplication.
Hi Alex,
If you revoke and remove a CA all existing certificates will not work. It would be hard to comment since I’m not too familar with your environment.
You do have some options though, remove all the existing certs and deploy a new CA, redeploy Certs.
The other option would be to move Exchange to a new server and then move the CA to a new server.
Depending on how integrated your CA is in your environment moving Exchange to a new server (pefect time for an upgrade) may be your best bet and simply the effort.
Thanks for the tip, very useful. I’ve put this in place for the future!
Great! Thanks for this article Scott.
Scott we have a 4 member WNLB CAS array and a 3 member DAG. The issue is everytime we try to connect via Outlook 2010 we still don’t get access (it fails on the log to server aspect of the Outlook profile). The CAS servers all work fine when not members of the array. We have set all the specific ports up on the WNLB for MAPI and created a DNS A record for the array. We’ve also created the array by using the New-ClientAccessArray switch and assigned the array to each database in the DAG by using the Set-MailboxDatabase -RpcClientAccessServer switch but still no connectivity. Any ideas ?
@Alex,
Did the mailboxes exist in the database before the Array was setup? Once thing to keep in mind that there are a number of ports that the CAS will use to contact the mailbox server via RPC. What ports are you allowing through? RPC Ports can range from 1065 – 65000 (or close to that). In some instances you will need to open up all the ports for the connection to occur correctly.
When you go to an outlook profile and check the mailbox configuration for the account what is it pointing to for Exchange Server?
It seems that profile redirection, while original CAS is alive, is fixed and works in OL2007 SP2. At least my test showed it. Don’t know does it works in OL 2010 RTM though…
Hello Scott,
Just to comment, we’ve just tested on our environment, the move of an enterprise root CA, from a 2k3 server to a 2k8 R2 server (with DIFFERENT NAMES) and it just works!!!
We’ve just changed a line on the registry that directed the CA Server name to the old one.
we didn’t noticed any problem on the certificate emission, or certificate renewall… It was all on the fly.
In addition I would like to thank you very much for this post. It was very, very helpfull to us!!!
Tietze
Hi Scott,
“As a note it appears that the Hub Transport Server in 2010 is not supported for NLB,in many deployments”
But if I install dedicate HUB server, can I deploy NLB?
Thanks.
Hi Scott,
Wanted to add my thanks to the chorus. Have just performed the AD upgrade (with one DC left) from 2003 R2 to 2008 R2 and all went well with the CA upgrade.
Ours was also of the x32 to x64 flavour so I don’t quite know why the MS doco says otherwise.
Cheers for helping me out on the one part of the upgrade I was particularly scared of.
-Michael
Hi Frank,
I’m going to say yes, with a HW load balancer you should be able to load balance the SMTP inbound traffic. Keep in mind however that this is only four inbound SMTP traffic from the internet or a relay. Internal Exchange communciation should continue to use the IP address of the actual Exchange Server.
NLB can be used to provide high availability in the following scenarios:” that is created only on Hub Transport servers.
Load balancing of inbound SMTP connections for POP and IMAP client connections to the default Receive connector named “Client
–Load balancing of inbound SMTP connections for applications that submit e-mail to the Exchange organization.
–NLB should not be used to distribute connections for internal routing between Hub Transport servers.
Hi Michael,
Thanks for the input, glad the article helped!
@Tietze
I was wondering about this. The funny thing I was just having a conversation with a client and he asked me the same question. The MS Doc says you can’t do it but after my conversation with the client I recalled doing the exact same thing about three years ago. Granted this was a 2003 to 2003 but it worked with a different server name.
Would you mind sharing which registry key you tweaked?
We have an issue where we are intermittently losing connection to our casarray. It connects and users are working fine at first, then it freezes up and users can’t get back in. It all works fine when setting the RPCClientAccessServer to a specific CAS server, but we get this issue with our CAS array. Our CAS servers are all virtual and were running it in Multicast. We think this is network /ARP related. Anyone have any ideas ? We’ve already disabled RPCEncryption
Alex, have you seen the following articles?
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1556
and
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006580
In the article it says ” In the event of an outage the Outlook client will lose connectivity to the Exchange Mailbox Server and will not be able to fail over to another CAS in the Active Directory Site since it has already established a connection to a CAS which is now down. How does the Outlook client find the CAS?”
If that is the case, if i close out of Outlook and reopen outlook, will my client pick up the other CAS server and connect to it?
I migrated one Certificate Authority server to 2008 R2 and I did change the hostname to something different (not the CA name, just the computer name). It’s been over a month since I did it and we’ve had no issues. It wasn’t easy though. I was working on it till 5 in the morning with Microsoft on the phone because the new service wouldn’t start after the restore. We ended up following this document to complete the process: http://support.microsoft.com/default.aspx?scid=kb;EN-US;969302
In addition to Scott’s guide, I followed this document to complete the migration. It’s very long, but explains every step, including the registry tweaks and modifications to change the hostname: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
Now, I’m about to migrate the CA on 5 more servers. If I come across any pitfalls, I’ll let you guys know.
I tried this way but after I disabled archiving for that user, there was no archive mailbox in disconnected mailbox under recepient configuration. Not even after that command “clean..”
So I restored mail from pst backup of archive folder that I made before.
Pity Microsoft didnt make this better. If they made archive authomatic, they should made authomatic the other way around.
Does anyone know if this will be fixed in SP1 or via another hotfix?
thx
Hi Scott,
Thank you for this great article…
I have a windows 2003 domain and about to introduce the first Windows 2008 DC.
I need to move the CA from a win2003 DC.
I understand how to backup and restore the DB etc. however too many articles to read left me unsure.
All i want is to transfer the CA role to a new Windows 2008 With a different HOST name…
Is this possible? or do i need to move it to another win 2003 server and do the OS upgrade later?
thanks heaps…
DadiO
Hi DadiO,
Tietze up above moved his CA to a new host name without any problem. A few years back I did the exact same thing from a 2003 to a 2003 so it can work. The CA name will remain the same but it looks like you can change the Host Name.
Typically though what you would do if you wanted to preserve the host name would be to backup the CA, remove the CA, decomossion the server and either rename the server or take it off line. Then build a new server (or change the name of one existing) to the previous host name.
But to be honest, I don’t see a problem with it.
Hi, I was wondering if the process was the same or similar for moving it over to another W2k3 box. Right now I have to move the subordinate because I have hardware failing but at some point the Root will need to go as well. I don’t intend to upgrade to 2008 yet. We are discussing this and you can see more details at:
http://web2.minasi.com/forum/topic.asp?TOPIC_ID=35260
Any assistance is appreciated. Thanks.
Hi Scott,
Cheers mate for the reply….
Keep up the good work!
DadiO
Franky, Yes, the process is pretty similar. The screen shots will be different but you will still want to backup the CA and Database with the Certificate, decomission the server, build a new one with the same name and restore the CA. It’s been a few years since doing a 2003 to a 2003 but the process shouldn’t be too much different other than the way you deploy CA in 2003 i.e. Control panel, Add/Remove Programs, Add Windows componets.
Thanks Scott. Will the clients keep chugging along while this is being rebuilt or will they have downtime?
Franky, The clients will keep working however, new certificate requests will not be permitted. Keep in mind the CA is trusted and the certificate is trusted. As long as the certificates are not revoked you are fine.
What happens in the scenario where I want to set a database to a different CAS – but Outlook doesn’t change the profile automatically? So say I have all my users pointing to a CAS Array – then I decide to failover to Site B (DR Site). I update the RPCClientAccessServer for the databases to the new CAS Server (or Array) – but since the original CAS Array is not reachable the Outlook profiles never seem to switch over to the new CAS Array. If the original CAS Server/Array is available then it does redirection, but when not available it seems to break Outlook. I’m testing this for this scenerio:
Site A – active Datacenter
Site B – DR Datacenter (no active users, mailboxes, CAS Servers)
Site A fails and I want to manually switchover to Site B. I switchover the databases and update the RPCClientAccessServer for the databases. So users will be connecting to Site B, but their existing Outlook profiles never switch over to the new CAS Server/Array – they just hang trying to connect to the original. If I recreate the Outlook profile it works just great. Now, one option would be to change the DNS record of the CAS Array. I’m sure that would work fine, but what if I want to keep one database alive in Site A – in a case where only network connectivity TO Site A is down – but all my local servers/users are up? My plan is to have a separate CAS Server in Site A that I point my local users’ database to – and switchover everything else to Site B. I would have thought AutoDiscover would check to see the SCP and point my profile to the new CAS Server. What would I be missing here?
Fantastic. Thanks!
Great article, thanks!
One question:
“Finally, rename the old server or permanently disconnect it from the network.” Is this absolutely necassary? My current 2003 R2 CA hosts a couple of other functions, it would be tricky to rename and not ready to remove it all together! (It is also intranet web server and file server!)
Just wondering if it is a ‘good practice’ to do vs ‘must be renamed/removed for migration to work’.
Mark, You could try to rename the new CA to something different as Tietze did. It is recommended to rename or disconnect the system. Typically you want a CA on a stand alone system to prevent anything like your situation from occuring.
Birdman, an interesting Scenario.
When a user connects to a CAS array they are basically connecting to a CAS in the AD site where their database tells them to connect. The CAS will then perform a lookup to determine which server their database is located on. In the event that the database is on another server in another site a redirect will occur where the system will connect them to the CAS in the site where their mailbox resides.
Scott, yes this is a very interesting scenario. What you mentioned does appear to work very well. What I’m struggling with is when I want to stop using the CAS Array and point a single database towards a dedicated CAS Server – since in the case where a Datacenter is still up, but not reachable. So, what I’m seeing in my testing now is that Outlook (2010) WILL finally see that the user’s database is on a different CAS server and change the profile – but it takes 10-15 minutes – and hasn’t happened every single time. What appears to be happening is Outlook keeps trying the CAS Array – which isn’t available – so no redirect can happen. It keep retrying a certain amount of times and then decides to do an AutoDiscover to repair the profile. Now, if I were to change the RPCClientAccessServer value and either recreate the Outlook profile or do a Repair – it works immediately. The main issue here seems to be if the original CAS server is not available Outlook SHOULD AutoDiscover, look up the SCP value for the CAS Server and reconfigure – but it’s not consistently doing that – and when it does it takes awhile. This is a situation that is rare, I agree, but something that I’m trying to accommodate. I could just dedicate that database to one CAS Server, but I’d be losing the advantage of a CAS Array. Trying to have my cake and eat it too
I found one TechNet article that said Outlook should do a Re-Autodiscover upon boot up – but it doesn’t appear to. If it would timeout after 5 minutes and then do a Re-Autodiscover I’d be happy with that – but I can’t find any literature on what the retry/timeout period is 
[...] Issues wіth Migrating users tο Exchange 2010 аnԁ Migrating Users tο nеw … [...]
Just to say excellent article!
Managed to move from 2003 R2 x64 to 2008 R2 without any problems!
Thank You
Hi Scott,
If I have multi site exchange, can I create multi CAS array with the same name?
Site A: mail.company.com (CAS member: CAS-01 & CAS-02)
Site B: mail.company.com (CAS member: CAS-03 & CAS-04)
Site C: mail.company.com (CAS member: CAS-05 & CAS-06)
I use split DNS.
Thanks.
Hmm, good question. I’m not sure. If you have a seperate DNS environment the next question I would ask is your DAG configuration, and then also your Active Directory configuration.
Do you have a single AD Domain? how many AD Sites? Also, DNS is it totally isolated? What about users and OWA access? What if a user in Site A is visiting in Site B?
I wouldn’t recommend it but I don’t see why it couldn’t be done if you’re isolated…