Aaron Marks IT Consulting
EHLO; MAIL FROM: Aaron; RCPT TO: You; SUBJECT: Enjoy!
Exchange 2007 to 2010 Outlook Anywhere Transition
Author: Aaron Marks1 Dec
During my latest work transitioning a client’s Exchange environment from 2007 to 2010 I stumbled across an issue I had not ran in to previously. This issue involved running different versions of (2007 and 2010) Outlook Anywhere (OA) in one environment simultaneously. I couldn’t find good documentation on this process from Microsoft so I figured I’d hopefully help someone else out by documenting the process I went through.
First off, getting your Client Access Servers (CAS) up and running with the proper hostnames and associated SAN certificate is essential. The initial plan was to bring up the 2010 Outlook Anywhere (OA a.k.a. RPC over HTTP) and then disable the 2007 OA due to Microsoft’s recommendation to transition the CAS fully before proceeding with the migration. With this latest transition, I needed to keep both the Exchange 2007 and 2010 OA proxies running side-by-side. This was necessary due to having numerous domains that were hosted on this Exchange environment that wouldn’t be able to have their external DNS edited in time for the beginning of the migration (for a variety of reasons that are outside the scope of this post).
Due to Microsoft’s best practice recommendations, you would assume with two OA proxies that you would want to direct traffic to the 2010 OA as early in the migration as possible via Autodiscover. You can have Autodiscover point to a specific OA proxy by editing the EXPR Outlook Provider. You could run a command such as:
Set-OutlookProvider –Identity:EXPR –Server:mail.contoso.com
The problem with doing this though is that Autodiscover will start passing an “AuthPackage: unspecified” for the EXPR Outlook Provider. I’m not sure what the reason for this limitation is but the Exchange Team likely has a reason for this since they have already posted a TechNet article on this exact issue.
This wouldn’t be a problem for anyone expecting to use Basic authentication for OA (Basic is the default AuthPackage used by Outlook when one is not specified), but anyone with an environment that is compatible with NTLM should be setting:
Set-OutlookAnywhere -Identity:”SERVER\Rpc (Default Web Site)” -ClientAuthenticationMethod:Ntlm -IISAuthenticationMethods:Ntlm
NTLM is the ideal OA authentication mechanism due to its ability to pass stored credentials under all conditions. Microsoft states in multiple places on the Exchange Team Blog, TechNet, and various support articles that NTLM is the recommended method of authentication when possible (Kerberos is alternatively recommended for larger deployments):
“If you click Basic Authentication or NTLM Authentication and an LM Compatibility Level of less than 2, you will be prompted for a password each time a connection is made to Exchange. With Basic Authentication, the password is sent in clear text. For increased security, we recommend that you select the NTLM Authentication…”
I determined that the correct procedure after studying the problem is to actually leave the EXPR Outlook Provider’s “-Server:$null” and to leave both OA versions running. Users on the 2010 Mailbox server will proxy through the OA 2010 server and users on the 2007 Mailbox server will proxy through the OA 2007 server.
My main concern with running both the 2007 and 2010 OA was that the Move-Mailbox would not correctly alert the clients to change the OA settings and Mailbox server simultaneously. Fortunately, Outlook does an Autodiscover check every time that it boots up. The way this ends up working in practice is as follows:
- User is on 2007 Mailbox server communicating with 2007 CAS via an Outlook client that is configured via the 2010 CAS’ Autodiscover.
- Once the Move-Mailbox completes on their Mailbox, the 2007 Mailbox server alerts the Outlook client that it needs to display a pop-up message instructing the user to restart Outlook for changes made by the Administrator to take affect.
- User restarts Outlook.
- Outlook switches the mailbox server over automatically to the 2010 server because it was instructed to do this before Outlook was restarted.
- Outlook also speaks to the 2010 CAS’ Autodiscover which once again now knows that the mailbox was moved over to the 2010 Mailbox server and intelligently knows that the best CAS will be the 2010 CAS, thus informing the Outlook client of the new 2010 OA settings.
- User is now fully reconfigured in a relatively seamless process.
I hope this helps fellow system administrators out there running through a similar migration. Please let me know if this did the trick for your migration, if you had different experiences, or have any related advice for how others and myself can further improve our Exchange transitions.
Here are a couple useful pieces to read as well:
- Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere on iLantz’ Blog
- The Autodiscover Service and Outlook Providers – how does this stuff work? on the Exchange Team Blog
- Outlook Anywhere Basic vs. Ntlm Authentication Explained on the SysAdmin Lab Blog
One Response for "Exchange 2007 to 2010 Outlook Anywhere Transition"
Aaron, thanks for this post. Very helpful.
So autodiscover will be able to transition automatically?
currently the server it points to for us in outlook anywhere is our Clustered Mailbox server name. “company-vex-001″ if you look at account properties.
So what should appear after a mailbox move to 2010? the dag name the mailbox servers belong to?
Also, for this information to be updated automatically by autodiscover, is the legacy.domain.com legacy hostnames required to be configured for this transition to work seamlessly, or no?
We’re planning on a weekend transition and mailbox move that potentially wouldn’t need co-existance and users wouldn’t necessarily be actively accessing outlook during this time.
Any inpout would be great, as I can’t find answers to these specific planning questions.
Thanks,
Josh
Josh
Leave a reply