Hi all, we just installed Exchange 2013 into our Exchange 2010 SP3 Organization, and are now having a few problems.
We have the following:-
2010 Edge * 2
2010 CAS * 2 (also UM)
2010 Mailbox * 2
2010 UM * 1 (for a separate company in the group)
The current 2010 environment has an entirely separate incoming and outgoing internet route and an F5 loadbalancer.
2013 CAS * 3
2013 Mailbox * 3
Kemp LoadMaster with ESP
We are using a different internet connection entirely for this (for reasons I won’t go into, as it’s of no relevance to the issue)
All DNS records still point all users to the Exchange 2010 CAS and all mailboxes (with the exception of a couple of Exchange admins and test accounts) still reside on the Exchange 2010 infrastructure.
However, now that co-existence is happening, we have run into some issues.
We have configured the new Exchange 2013 CAS servers with our public CA SSL certificates.
We have also configured Outlook Anywhere on the Exchange 2013 CAS to use public DNS name.
We have also used the Configure External Access Domain option under Virtual Directories to configure the External Access name. Please see table:-
Get-VirDirInfo.ps1
Report generated on: 16 September 2015 15:48:23
General Client Access Server Information
ServerExchange VersionRolesEdition
GS1ADVMEXHV03Microsoft Exchange Server 2010 SP3ClientAccess, UnifiedMessaging, HubTransportEnterprise
GS1ADVMEXHV04Microsoft Exchange Server 2010 SP3ClientAccess, UnifiedMessaging, HubTransportEnterprise
SL1ACSEXCCAS01Exchange Server 2013 Service Pack 1 (SP1) (CU4)ClientAccessEnterprise
SL1ACSEXCCAS03Exchange Server 2013 Service Pack 1 (SP1) (CU4)ClientAccessEnterprise
SL1ACSEXCCAS02Exchange Server 2013 Service Pack 1 (SP1) (CU4)ClientAccessEnterprise
Autodiscover
ServerInternal UriInternalURLExternalUrlAuth. (Int.)Auth. (Ext.)Site ScopeLast modified on:
GS1ADVMEXHV03https://mail.domain.com/autodiscover/autodiscover.xmlBasic Ntlm WindowsIntegrated WSSecurity
Basic Ntlm WindowsIntegrated WSSecurityGS1,SL106/10/2015 14:38:07
GS1ADVMEXHV04https://mail.domain.com/autodiscover/autodiscover.xmlBasic Ntlm WindowsIntegrated WSSecurity
Basic Ntlm WindowsIntegrated WSSecurityGS1,SL106/10/2015 14:38:07
SL1ACSEXCCAS01https://mail.domain.com/autodiscover/autodiscover.xmlBasic Ntlm WindowsIntegrated WSSecurity OAuthBasic Ntlm WindowsIntegrated WSSecurity OAuthGS1,SL108/12/2015 16:37:22
SL1ACSEXCCAS03https://mail.domain.com/autodiscover/autodiscover.xmlBasic Ntlm WindowsIntegrated WSSecurity OAuthBasic Ntlm WindowsIntegrated WSSecurity OAuthGS1,SL108/12/2015 16:33:40
SL1ACSEXCCAS02https://mail.domain.com/autodiscover/autodiscover.xmlBasic Ntlm WindowsIntegrated WSSecurity OAuthBasic Ntlm WindowsIntegrated WSSecurity OAuthGS1,SL108/12/2015 16:34:06
Outlook Web App (OWA):
ServerName
InternalURLExternalUrlInt. Auth.Last modified on:
GS1ADVMEXHV03owa (Default Web Site)https://mail.domain.com/OWAhttps://mail.domain.com/OWABasic Fba Ntlm WindowsIntegrated06/10/2015 14:38:07
GS1ADVMEXHV04owa (Default Web Site)https://mail.domain.com/OWAhttps://mail.domain.com/OWABasic Fba Ntlm WindowsIntegrated06/10/2015 14:38:07
SL1ACSEXCCAS01owa (Default Web Site)https://mail.domain.com/OWAhttps://mail.domain.com/OWABasic08/24/2015 15:39:00
SL1ACSEXCCAS03owa (Default Web Site)https://mail.domain.com/OWAhttps://mail.domain.com/OWABasic08/24/2015 15:39:30
SL1ACSEXCCAS02owa (Default Web Site)https://mail.domain.com/OWAhttps://mail.domain.com/OWABasic08/24/2015 15:39:00
Exchange Control Panel (ECP):
ServerName
InternalURLExternalUrlInt. Auth.Last modified on:
GS1ADVMEXHV03ecp (Default Web Site)https://mail.domain.com/ecphttps://mail.domain.com/ecpBasic Fba Ntlm WindowsIntegrated06/10/2015 14:38:09
GS1ADVMEXHV04ecp (Default Web Site)https://mail.domain.com/ecphttps://mail.domain.com/ecpBasic Fba Ntlm WindowsIntegrated06/10/2015 14:38:09
SL1ACSEXCCAS01ecp (Default Web Site)https://mail.domain.com/ECPhttps://mail.domain.com/ECPBasic08/24/2015 15:40:30
SL1ACSEXCCAS03ecp (Default Web Site)https://mail.domain.com/ECPhttps://mail.domain.com/ECPBasic08/24/2015 15:41:00
SL1ACSEXCCAS02ecp (Default Web Site)https://mail.domain.com/ECPhttps://mail.domain.com/ECPBasic08/24/2015 15:40:30
Outlook Anywhere:
ServerInternal HostnameExternal HostnameAuth.(Int.)Auth. (Ext.)Auth. IISLast modified on:
GS1ADVMEXHV03mail.domain.comNtlmBasicBasic Ntlm08/06/2015 14:24:11
GS1ADVMEXHV04mail.domain.comNtlmBasicBasic Ntlm08/06/2015 14:24:11
SL1ACSEXCCAS01mail.domain.commail.domain.comNtlmNtlmBasic Ntlm09/08/2015 13:27:53
SL1ACSEXCCAS03mail.domain.commail.domain.comNtlmNtlmBasic Ntlm09/08/2015 13:27:53
SL1ACSEXCCAS02mail.domain.commail.domain.comNtlmNtlmBasic Ntlm09/08/2015 13:27:53
MAPI/HTTP:
ServerInternal URLExternal URLAuth.(Int.)Auth. (Ext.)Auth. IISLast modified on:
GS1ADVMEXHV03Server isn't running Exchange 2013 SP1 or later.
GS1ADVMEXHV04Server isn't running Exchange 2013 SP1 or later.
SL1ACSEXCCAS01https://mail.domain.com/mapihttps://mail.domain.com/mapiBasicBasic09/04/2015 17:12:42
SL1ACSEXCCAS03https://mail.domain.com/mapihttps://mail.domain.com/mapiBasicBasic09/04/2015 17:12:42
SL1ACSEXCCAS02https://mail.domain.com/mapihttps://mail.domain.com/mapiBasicBasic09/04/2015 17:12:42
Offline Address Book (OAB):
ServerOABs
Internal URLExternal UrlAuth.(Int.)Auth. (Ext.)Last modified on:
GS1ADVMEXHV03\Default Offline Address Bookhttps://mail.domain.com/oabhttps://mail.domain.com/oabWindowsIntegratedWindowsIntegrated06/10/2015 14:38:08
GS1ADVMEXHV04\Default Offline Address Bookhttps://mail.domain.com/oabhttps://mail.domain.com/oabWindowsIntegratedWindowsIntegrated06/10/2015 14:38:08
SL1ACSEXCCAS01\DOMAIN Ex2013 OAB \Default Offline Address Book (Ex2013)https://mail.domain.com/oabhttps://mail.domain.com/oabWindowsIntegrated OAuthWindowsIntegrated OAuth08/24/2015 15:40:00
SL1ACSEXCCAS03\DOMAIN Ex2013 OABhttps://mail.domain.com/oabhttps://mail.domain.com/oabWindowsIntegrated OAuthWindowsIntegrated OAuth08/24/2015 15:40:30
SL1ACSEXCCAS02\DOMAIN Ex2013 OABhttps://mail.domain.com/oabhttps://mail.domain.com/oabWindowsIntegrated OAuthWindowsIntegrated OAuth08/24/2015 15:40:00
ActiveSync (EAS):
ServerInternal URLExternal UrlAuth. (Ext.)Last modified on:
GS1ADVMEXHV03https://mail.domain.com/Microsoft-Server-Activesynchttps://mail.domain.com/Microsoft-Server-Activesync06/10/2015 14:38:08
GS1ADVMEXHV04https://mail.domain.com/Microsoft-Server-Activesynchttps://mail.domain.com/Microsoft-Server-Activesync06/10/2015 14:38:08
SL1ACSEXCCAS01https://mail.domain.com/Microsoft-Server-Activesynchttps://mail.domain.com/Microsoft-Server-Activesync08/24/2015 15:39:30
SL1ACSEXCCAS03https://mail.domain.com/Microsoft-Server-Activesynchttps://mail.domain.com/Microsoft-Server-Activesync08/24/2015 15:40:00
SL1ACSEXCCAS02https://mail.domain.com/Microsoft-Server-Activesynchttps://mail.domain.com/Microsoft-Server-Activesync08/24/2015 15:40:00
Exchange Web Services(EWS):
ServerInternal URLExternal UrlAuth. (Int.)Auth. (Ext.)MRS Proxy EnabledLast modified on:
GS1ADVMEXHV03https://mail.domain.com/ews/exchange.asmxhttps://mail.domain.com/ews/exchange.asmx
Basic Ntlm WindowsIntegrated WSSecurityBasic Ntlm WindowsIntegrated WSSecurityTrue06/10/2015 14:38:09
GS1ADVMEXHV04https://mail.domain.com/ews/exchange.asmxhttps://mail.domain.com/ews/exchange.asmx
Basic Ntlm WindowsIntegrated WSSecurityBasic Ntlm WindowsIntegrated WSSecurityTrue06/10/2015 14:38:09
SL1ACSEXCCAS01https://mail.domain.com/EWS/Exchange.asmxhttps://mail.domain.com/EWS/Exchange.asmx
Basic Ntlm WindowsIntegrated WSSecurity OAuth
Basic Ntlm WindowsIntegrated WSSecurity OAuth
True08/24/2015 15:38:08
SL1ACSEXCCAS03https://mail.domain.com/EWS/Exchange.asmxhttps://mail.domain.com/EWS/Exchange.asmx
Basic Ntlm WindowsIntegrated WSSecurity OAuth
Basic Ntlm WindowsIntegrated WSSecurity OAuth
True08/24/2015 15:38:23
SL1ACSEXCCAS02https://mail.domain.com/EWS/Exchange.asmxhttps://mail.domain.com/EWS/Exchange.asmx
Basic Ntlm WindowsIntegrated WSSecurity OAuth
Basic Ntlm WindowsIntegrated WSSecurity OAuth
True08/24/2015 15:38:23
The next step was to repoint the mail. and autodiscover. records to the address of the new loadbalancer to pass to a 2013 CAS and repoint MX records to use the new incoming route….. However…..
Some testing has been a pain, as given that I’m having to use hosts files to prove this, EXRCA (https://testconnectivity.microsoft.com/) is not a lot of use in this situation.
I have attempted to test using a modified hosts file on client machines to prove that, when repointing these DNS records to the 2013 environment, everything will continue to work correctly and the 2013 CAS should proxy to 2010.
What does work:-
OWA – works regardless of whether the mailbox resides on 2010 or 2013 infrastructure.
AutoDiscover – appears to work (using Test E-Mail Auto Configuration by Ctrl + Right Click on the client tray icon)
Internally, everything works for my 2010 based test users, whether pointed at the internal address for the Kemp CAS loadbalancing or the internet facing address that routes to the Kemp for CAS loadbalancing. Myself and a couple of others on the 2013 environment
also work whether pointed at the internal address for the Kemp CAS loadbalancing or the internet facing address that routes to the Kemp for CAS loadbalancing.
Externally, and therefore Outlook Anywhere, using hosts files it works for the 2013 based users and SOME 2010 based users.
What doesn't work:-
Two of the four test users cannot connect when opening Outlook. It just displays Disconnected.
I have already proven that it is not a fault with the Kemp loadbalancer ESP settings, by pointing to the non-esp load balanced (internal load balance) address and setting a hosts entry for outlook1.domain.com (the 2010 CASarray address) to an unresolvable IP
(128.0.0.1) which should force it to use Outlook Anywhere/RPC over HTTP(S).
Certificates all look good, it isn’t device specific (recreated mail profile and tried on other machines, which I can also get to work with another 2010 based account).
I have run Get-MailBoxUser |FL against both a working and non-working 2010 account (both of which reside on the same mailbox database) and compared them and nothing stands out that could be causing the problem.
Any/all advice appreciated!