Transcript Exchange Deployment and Coexistence

http://technet.microsoft.com/en-us/library/cc731125(v=WS.10).aspx
Exchange 2010
Architecture
Hardware
Load Balancer
Client Access
Hub Transport,
Unified Messaging
Mailbox
L7 LB
Exchange 2013
Architecture
L4 LB
AuthN, Proxy,
Re-direct
Client Access
AuthN, Proxy,
Re-direct
Protocols, API,
Biz-logic
Assistants, Store, CI
Protocols, Assistants,
API, Biz-logic
Store, CI
Mailbox
1. Prepare
Install Exchange 2010 SP3 across the ORG
Clients
autodiscover.contoso.com
mail.contoso.com
2
1
Prepare AD with Exchange 2013 schema
Validate existing Client Access using Remote
Connectivity Analyzer and test connectivity cmdlets
2. Deploy Exchange 2013 servers
4
Install both Exchange 2013 MBX and CAS roles
E2010
HUB
E2010
CAS
3
E2013
CAS
Exchange 2010
Servers
SP3
SP3
SP3
Intranet site
6
5
E2010
MBX
E2013
MBX
Internet-facing site – upgrade first
3. Obtain and deploy certificates
Obtain and deploy certificates on Exchange 2013
Client Access Servers
4. Switch primary namespace to Exchange 2013 CAS
Exchange 2013 fields all traffic, including traffic from
Exchange 2010 users
Validate using Remote Connectivity Analyzer
5. Move Mailboxes
Build out DAG
Move Exchange 2010 users to Exchange 2013 MBX
6. Repeat for additional sites
1. Prepare
Clients
Install Exchange 2007 SP3 + RU10 across the ORG
autodiscover.contoso.com
mail.contoso.com
3
legacy.contoso.com
2
1
E2007
SP3
CAS
E2007
SP3
HUB
4
Prepare AD with Exchange 2013 schema
2. Deploy Exchange 2013 servers
5
E2013
CAS
Exchange 2007
Servers
RU10
RU10
RU10
RU10
Intranet site
Install both Exchange 2013 MBX and CAS servers
3. Create legacy namespace
Create DNS record to point to legacy Exchange 2007 CAS
4. Obtain and Deploy Certificates
Obtain and deploy certificates on Exchange 2013 CAS
servers configured with legacy namespace, Exchange
2013 namespace, and autodiscover namespace
Deploy certificates on Exchange 2007 CAS
5. Switch primary namespace to Exchange 2013 CAS
Validate using Remote Connectivity Analyzer
7
6
E2007
SP3
MBX
E2013
MBX
Internet-facing site – upgrade first
6. Move mailboxes
Build out DAG
Move Exchange 2007 users to Exchange 2013 MBX
7. Repeat for additional sites
1. Prepare
Install Exchange SP and/or updates across the org
Prepare AD with Exchange 2013 schema and
validate
Clients
autodiscover.contoso.com
mail.contoso.com
2. Deploy Exchange 2013 servers
1
3. Create legacy namespace
E2010
or 2007
HUB
E2010
or 2007
CAS
SP/RU
E2010
or 2007
MBX
Internet facing site – Upgrade first
Exchange 2010
or 2007 Servers
SP/RU
Intranet site
4. Obtain and deploy certificates
5. Switch primary namespace to Exchange 2013 CAS
6. Move mailboxes
7. Repeat for additional sites
Prepare
Install Exchange 2007 SP3 + RU10 using same steps as previous Exchange 2007 roll-ups
Prepare Active Directory with Exchange 2013 schema
Validate existing client access using Remote Connectivity
Analyzer and test connectivity cmdlets
http://www.exrca.com
1
1. Prepare
Clients
Install Exchange SP and/or updates across the org
autodiscover.contoso.com
mail.contoso.com
Prepare AD with Exchange 2013 schema
2. Deploy
Deploy Exchange
Exchange 2013
2013 servers
servers
2.
Install both
both E2013
Exchange
and CAS servers
Install
MBX2013
and MBX
CAS servers
2
3. Create legacy namespace
E2010
or 2007
HUB
E2010
or 2007
CAS
E2013
CAS
Exchange 2010
or 2007 Servers
SP/RU
SP/RU
Intranet site
4. Obtain and deploy certificates
5. Switch primary namespace to Exchange 2013 CAS
6. Move mailboxes
7. Repeat for additional sites
E2010
or 2007
MBX
E2013
MBX
Internet-facing site – upgrade first
2
1
Install
− Setup.exe /mode:install
/roles:clientaccess
− Setup.exe /mode:install
/roles:mailbox
− Setup.exe /mode:install
/roles:ManagementTools
Other required parameter
- /IAcceptExchangeServerLicenseTerms
MBX performs PowerShell commands
CAS is proxy only
GUI or command line
In-place upgrades not supported
Updated to reflect Exchange 2013 roles
New required parameter for license terms
acceptance
1. Prepare
Clients
Install Exchange SP and/or updates across the org
autodiscover.contoso.com
mail.contoso.com
3
legacy.contoso.com
Prepare AD with Exchange 2013 schema
2. Deploy Exchange 2013 servers
Install both Exchange 2013 MBX and CAS servers
3. Create legacy namespace
E2010
or 2007
HUB
E2010
or 2007
CAS
E2013
CAS
Exchange 2010
or 2007 Servers
SP/RU
SP/RU
Intranet site
4. Obtain and deploy certificates
5. Switch primary namespace to Exchange 2013 CAS
6. Move mailboxes
7. Repeat for additional sites
E2010
or 2007
MBX
E2013
MBX
Internet-facing site – upgrade first
Create Legacy Namespace
Used to access Exchange 2007 during coexistence
Legacy.contoso.com
http://www.exrca.com
3
1
1. Prepare
Clients
Install Exchange SP and/or updates across the org
autodiscover.contoso.com
mail.contoso.com
legacy.contoso.com
Prepare AD with Exchange 2013 schema
2. Deploy Exchange 2013 servers
Install both Exchange 2013 MBX and CAS servers
3. Create legacy namespace
E2010
or 2007
HUB
E2010
or 2007
CAS
4
E2013
CAS
Exchange 2010
or 2007 Servers
SP/RU
SP/RU
Intranet site
4. Obtain and deploy certificates
Obtain and deploy certificates on Exchange 2013 CAS
configured with legacy namespace, Exchange 2013
namespace, and Autodiscover namespace
Deploy certificates on Exchange 2007 CAS
5. Switch primary namespace to Exchange 2013 CAS
E2010
or 2007
MBX
E2013
MBX
Internet-facing site – upgrade first
6. Move mailboxes
7. Repeat for additional sites
4
1
First notification shown 30 days prior to expiration
Subsequent notifications provided daily
Certificates
Minimize the number of certificates
The same private key is required on all CAS in a site for transient CAS failures to be seamless
A unified namespace may mean the same cert is required on all sites covering the namespace
Minimize number of host names
Use split DNS for Exchange host names
mail.contoso.com for Exchange connectivity on intranet and Internet with different IPs
Don’t list machine host names in certificate host name list
Use load-balanced (LB) arrays for intranet and Internet access to servers
Use “Subject Alternative Name” (SAN) certificate
4
1
Clients
1. Prepare
autodiscover.contoso.com
mail.contoso.com
legacy.contoso.com
Install Exchange SP and/or updates across the org
Prepare AD with Exchange 2013 schema
2. Deploy Exchange 2013 servers
5
Install both Exchange 2013 MBX and CAS servers
3. Create legacy namespace
E2010
or 2007
HUB
E2010
or 2007
CAS
E2013
CAS
Exchange 2010
or 2007 Servers
SP/RU
SP/RU
Intranet site
4. Obtain and deploy certificates
Obtain and deploy certificates on Exchange 2013 CAS
configured with legacy namespace, Exchange 2013
namespace, and Autodiscover namespace
Deploy certificates on Exchange 2007 CAS
5. Switch primary namespace to Exchange 2013 CAS
E2010
or 2007
MBX
E2013
MBX
Internet-facing site – upgrade first
Validate using Remote Connectivity Analyzer
6. Move mailboxes
7. Repeat for additional sites
https://www.testexchangeconnectivity.com/
Layer 7 load balancers are no longer required for the primary Exchange 2013 namespace
Layer 4 (aka no-affinity) is supported for the Exchange 2013 namespace
Exchange 2010 Coexistence
OWA
mail.contoso.com
europe.mail.contoso.com
Layer 4 LB
E2010 CAS
IIS
HTTP Proxy
E2013 CAS
RPC
Store
Protocol Head
DB
DB
E2010 MBX
E2013 MBX
Site Boundary
Protocol
Head
Layer 7 LB
Protocol
Head
RPC
Cross-Site
Redirect
Request
E2010 CAS Silent in
CU2+!
Store
DB
E2010 MBX
Cross-Site Proxy
Request
Exchange 2007 Coexistence
Same-Site
Redirect Request
Silent in CU2+!
OWA
Legacy.contoso.com
mail.contoso.com
europe.mail.contoso.com
Layer 7 LB
Layer 4 LB
Layer 7 LB
E2007 CAS
IIS
HTTP Proxy
E2013 CAS
RPC
Store
Protocol Head
DB
DB
E2007 MBX
E2013 MBX
Site Boundary
Protocol
Head
Protocol
Head
E2007 CAS
RPC
Store
DB
E2007MBX
Cross-Site Proxy
Request
Cross-Site
Redirect
Request
Silent in
CU2+!
Switching to CAS 2013
5
Outlook Anywhere
Clients
mail.contoso.com
RPC/HTTP
Layer 7 LB
Layer 4 LB
RPC/HTTP
HTTP
PROXY
E2007/E2010 CAS
OA Enabled
Client Auth: Basic
IIS Auth: Basic
NTLM
1. Enable Outlook Anywhere on all legacy CAS
E2013 CAS
OA Enabled
Client Settings
IIS Auth: NTLM
RPC
HTTP
PROXY
2. IIS Authentication Methods
E2007/E2010 CAS
Disabled
OA Enabled
Client Settings
IIS Auth: NTLM
RPC
RPC
E2007/E2010 MBX
Internet facing site
IIS Auth must have NTLM enabled on all
legacy CAS
3. Client Settings
Make legacy OA settings the same as 2013
CAS so all clients get the same proxy
hostname
4. DNS Cutover
A low TTL on the existing record the days
prior to the cutover is a good idea.
E2013 MBX
E2007/E2010 MBX
Intranet facing site
Protocol
Exchange 2007 user accessing
Exchange 2010 namespace
Exchange 2007 user accessing
Exchange 2013 namespace
Exchange 2010 user accessing
Exchange 2013 namespace
Requires
Legacy namespace
Legacy namespace
No additional namespaces
OWA
• Same AD site: silent or SSO FBA redirect
• Externally facing AD site: manual or silent/SSO
Cross-site redirect
• Internally facing AD site: proxy
Silent redirect to CAS 2007 ExternalURL in same
or different AD site.
• Same AD Site: Proxy to CAS 2010
EAS
• EAS v12.1+ : Autodiscover & redirect
• Older EAS devices: proxy
Proxy to MBX 2013
Proxy to CAS 2010
Outlook
Anywhere
Direct CAS 2010 support
Proxy to CAS 2007
Proxy to CAS 2010
Autodiscover
Exchange 2010 answers Autodiscover query for
2007 User
Exchange 2013 answers Autodiscover query for
2007 User
Proxy to CAS 2010
EWS
Uses Autodiscover to find CAS 2007 EWS
External URL
Uses Autodiscover to find CAS 2007 EWS
External URL
Proxy to CAS 2010
POP/IMAP
Proxy
Proxy to CAS 2007
Proxy to CAS 2010
OAB
Direct CAS 2010 support
Proxy to CAS 2007
Proxy to CAS 2010
RPS
n/a
n/a
Proxy to CAS 2010
ECP
n/a
n/a
• Same AD Site: Proxy to CAS 2010
• Different AD Site: Cross-site silent redirect to
ExternalURL
• Different AD Site: Cross-site silent redirect to
ExternalURL
1. Prepare
Install Exchange SP and/or updates across the org
Clients
autodiscover.contoso.com
mail.contoso.com
legacy.contoso.com
Prepare AD with Exchange 2013 schema
2. Deploy Exchange 2013 servers
Install both Exchange 2013 MBX and CAS servers
3. Create legacy namespace
E2010
or 2007
HUB
E2010
or 2007
CAS
E2013
CAS
SP/RU
SP/RU
Intranet site
5. Switch primary namespace to Exchange 2013 CAS
Validate using Remote Connectivity Analyzer
6. Move mailboxes
6
E2010
or 2007
MBX
Exchange 2010
or 2007 Servers
4. Obtain and deploy certificates
Obtain and deploy certificates on Exchange 2013 CAS
configured with legacy namespace, Exchange 2013
namespace, and Autodiscover namespace
Deploy certificates on Exchange 2007 CAS
E2013
MBX
Internet-facing site – upgrade first
Build out DAG
Move users to Exchange 2013 MBX
7. Repeat for additional sites
Public Folder Migration
from Exchange 2007 or Exchange 2010 Public Folders
1. Prepare
Outlook Clients
Install Exchange SP and/or updates across the ORG
Migrate all users that require access to Exchange 2013
2. Analyze
4
E2007 SP3 RU10 or E2010SP3
1
Exchange 2013
2
PF dbase 1
MBX
PFs
PF dbase 2
PF
PF dbase 3
4. Begin Migration Request
3
MBX MBX
PF mbx 2
6
Map PF folders to PF mailboxes
3. Create new Public Folder mailboxes
Set to HoldForMigration Mode, mailboxes invisible to clients
PF mbx 1
5
Take snapshot of existing PF folder structure, statistics and
permissions
PF mbx 3
Clients continue to access and create new data during copy
After copy is complete migration request status is
AutoSuspended
5. Finalize Migration Request
Update snapshot of existing PF folder structure, statistics
and permissions
Lock source, clients logged off, final sync occurs
6. Validate
Check and verify destination folders
Ambiguous URLs
Ambiguous URLs in Use
Outlook
RPC/HTTPS
External Network & DNS
A customer did not use unique
namespaces for HTTP and RPC
workloads in 2010.
Yes, but… what CAN’T you do here?
EWS
mail.contoso.com
192.168.10.1
What is it?
Doesn’t this work?
EAS
OWA
Reverse Proxy
Perimeter Network
Internal Network & DNS
RPC
Traffic
RPC and
HTTPS traffic
mail.contoso.com
10.100.10.1
Layer-7 Load
Balancer
Outlook
RPC/TCP
Exchange
2010 CAS
Application Server
using MAPI over
RPC/TCP
Exchange
2010 CAS
Public Folder
RPC Traffic
Exchange
2010
Mailbox
Server
Ambiguous URLs
Outlook
RPC/HTTPS
EAS
OWA
mail.contoso.com
192.168.10.1
What would we prefer?
External Network & DNS
Unique namespaces for HTTP and RPC
workloads in 2010.
Reverse Proxy
Perimeter Network
Internal Network & DNS
Why do we prefer it?
Easier to guarantee RPC name is internal
only.
Allows us to move HTTP workloads
without client interruption.
HTTPS Traffic
RPC Traffic
mail.contoso.com
10.100.10.1
Layer-7 Load
Balancer
outlook.contoso.com
10.100.10.1
Outlook
RPC/TCP
RPC
Traffic
Exchange
2010 CAS
Exchange
2010 CAS
Application Server
using MAPI over
RPC/TCP
Public Folder
RPC Traffic
Exchange
2010
Mailbox
Server
EWS
Ambiguous URLs
Internal Network & DNS
Step 1 to fix it.
Get Outlook to Ex2013 compatible
versions.
RPC Traffic
Enable OA if not yet used
HTTPS Traffic
Layer-7 Load
Balancer
Outlook
RPC/HTTPS
Force Outlook Anywhere internally
with Outlook Provider Flags in
Autodiscover
Force non-OA capable apps to
resolve to the L7 load balancer via
HOSTS file.
mail.contoso.com
10.100.10.1
Exchange 2010
CAS
Exchange 2010
CAS
Application Server w/HOSTS entry forcing
mail.contoso.com to 10.100.10.1 due to no OA
compatibility.
Exchange 2010
Mailbox Server
Ambiguous URLs
Internal Network & DNS
Step 2 to fix it.
HTTPS Traffic
Introduce Exchange 2013 and
proxy 2010 users through it.
mail.contoso.com
10.100.10.2
Load Balancer
Outlook
RPC/HTTPS
CAS Proxy
RPC/TCP Traffic
Layer-7 Load
Balancer
10.100.10.1
Exchange
2013 CAS
Exchange
2010 CAS
RPC/TCP Traffic
Application Server w/HOSTS entry forcing
mail.contoso.com to 10.100.10.1 due to no OA
compatibility.
Exchange
2010 Mailbox
Server
Exchange
2013
Mailbox
Server
Ambiguous URLs
Recap on what to do if you encounter it.
Get clients on Exchange 2013 compatible versions to ensure ServerExclusiveConnect is
useable.
Enable OA for all users prior to introducing to Exchange 2013
Force clients to connect with HTTP via Outlook provider flag ServerExclusiveConnect and then
proxy through 2013
Modify HOSTS file for any application which is not OA capable so the URL still resolves to the
L7 load balancer for 2010 for that application.
More details and ramblings at…
http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-toexchange-2013-migrations.aspx
SMTP Transition
Edge Transport
General Mail flow
OABs and re-downloads Part 1
Exchange 2013 creates a new default OAB for the org. This will trigger full OAB
downloads by clients due to the new OAB GUID.
Avoid this by specifying the existing OAB as default on all legacy DBs prior to installing 2013
OABs and re-downloads Part 2a
Downloads from different OAB Gen mailboxes = a full download
Two OABGen mailboxes will generate the same OAB at different times.
As a result, differential files even of the same name won’t be the same content.
This results in a corrupt OAB, triggering the client to perform a full download.
How to find your OABGen mailbox(es)
OABs and re-downloads Part 2b
So what do we do to avoid that?
Keep only one OAB Gen capable system mailbox per AD site
Setup below has 2 OABGen mailboxes, one per AD site.
OABs and re-downloads Part 2c
If a DAG spans two sites the OABGen mailbox DBs could move about. What can
we do to prevent this from triggering full re-downloads?
Place OABGen mailboxes in DBs only replicated locally to keep them isolated.
Site B
OABGen-02
OABGen-01
Site A
DAG-001
Contains OABGen Mailbox 1
Contains OABGen Mailbox 2
OABs and re-downloads Part 2d
What if my DBs activate in my other site? Won’t the user then
download from a different OABGen mailbox?
Correct you are… so only have one OABGen mailbox per
organization.
Site B
Site A
Site B
OABGen-01
OABGen-01
OABGen-01
Site A
DAG-001
DAG-001
EWS Clients and Legacy Public Folders
EWS clients with mailboxes on 2013 will not be able to access legacy PFs
Entourage 2008 EWS Edition
Outlook for Mac 2011
Custom EWS scripts accessing PF data
mail.contoso.com
EWS Proxy
EWS
Quota Calculations
Mailbox and Public Folder data moved from legacy Exchange 2013 will appear
to grow
This is due to more accurate space usage calculation of items within the database compared
to previous versions
Expectation is 30% increase in quota hit, but will vary based on the content types
May want to increase the quotas of any user using 75% or more of their quota prior to moving them to 2013.
The database size on disk does NOT increase