Blog Post

Exchange Team Blog
11 MIN READ

Exchange On-Premises Best Practices for Migrations from 2010 to 2016

The_Exchange_Team's avatar
Sep 18, 2019

As many of you know from the previous blog post, Exchange 2010 End of Support Is Coming and the soon-to-be-a-classic sequel post Microsoft Extending End of Support for Exchange Server 2010 to October 13th, 2020 time is up for Exchange Server 2010 and you should plan to migrate to Office 365.

We have had some requests for guidance on moving from on-premises Exchange 2010 to 2016. If you have a hybrid configuration, mailboxes, or public folders on Exchange 2010, you should prepare to install Exchange 2016 before October 13, 2020.

This blog post is intended to provide best practices on preparing and planning your migration. It’s important to note that due to so many different types of deployments and configurations, it’s difficult to cover all scenarios, but many of the common steps are included. With that said, please plan your migration carefully and include all aspects of the environment. Some of the steps below may or may not apply to your situation (we will err on the side of over-communicating details.) 

Please note that there is no direct migration path from Exchange 2010 to Exchange 2019, so that will not be covered in this post. 

Prepare 

Here are a few links that can help you understand the major moving parts and might be useful throughout the migration: 

Plan 

Planning is the most important step in this process. We recommend using the Exchange Deployment Assistant to help guide you in planning your migration. Collect information and use the table in the guide to annotate details about the organization 

Using our guidance like Plan for High Availability and Site Resilience documentation will help you decide how available is available enough. Consider all your failure domainssuch as disknetworkentire nodevirtualization loss, entire datacenter failure, etc. How many of those failures can your design survive? Does your environment today have any pain points which new design can address? 

When you have a plan in place, what are the associated costs for each component? Consider licensing, rack space, hardware, disk, network, bandwidth, backups or 3rd party app support. 

Server Sizing 

Review the following links to plan server sizing, virtualization and high availability: 

Certificates and Namespace  

Determine your migration plan for certificates or determine if new 3rd party certificates are neededIf you’ve reviewed the earlier referenced namespace planning link you should be aware of the requirements here. Seeing that this is a good opportunity, we have seen see some of our customers change their namespaces (for example, changing the old namespace of remote.contoso.com to outlook.contoso.com). If split-brain DNS is not implemented, this would be a good time to plan moving from outlook.contoso.local to outlook.constoso.com. Another consideration is regarding ambiguous URLs which can impact the clients if the CAS Array Object in 2010 is the same name as external URLs 

Exchange Active Directory Deployment Site 

Consider installing Exchange into an Active Directory deployment site to avoid the internal domain joined clients from looking up the SCP on Exchange 2016 servers.  

TLS Guidance 

Please consider disabling TLS 1.0 and 1.1 in your organization while the migration planning is underway. Be cautious and read all the guidance carefully since doing this improperly can impact many different functions. 

Office Online Server 

Consider using Office Online Server to enhance attachments for OWA and Outlook clients and review Configuring Exchange to use OOS 

Hybrid Configuration 

There are two options for configuring your organization for hybrid: 

Hybrid Configuration Wizard (HCW) is best for complex hybrid deployment that requires that need multi-forest, sharing policies, etc. 

You can use the Modern Hybrid Agent (also sometimes called MHA) for simpler deployments if you only need free/busy and Mailbox Replication Service (MRS) to migrate mailboxes to O365. Note that these types of deployments will not support things like Hybrid Modern Authentication (HMA) for on-premises, cross-premises teams calendaring, and cross-prem message tracking. Note that the Modern Hybrid Agent is designed for organizations that don’t already have hybrid in place. If your existing 2010 organization is already configured for ‘classic full hybrid’ then it is advisable to continue down this path. 

There are some items that should be observed with the two modes of the HCW you can run: Full or Minimal - HCW Exchange Team Blog 

Public Folders 

Legacy public folders can be accessed by Exchange 2016 mailboxes via Outlook clients only (not OWA) due to backwards compatibility, but Exchange 2010 mailboxes cannot access the new modern public folders once they are hosted on 2016. This becomes an all or nothing kind of configuration. Your users are either using 2010 public folders, or the new modern PFs in 2016. For this reason, all user mailboxes should be moved to 2016 before moving any PF data. Coexistence with legacy public folders can be used until you have migrated all the mailboxes; however, that configuration requires making the public folders discoverable by AutoDiscover, and requires several steps.  Please review this  link anNotes from the field and consider your options.  

Kerberos with Internal Outlook Clients 

Verify if you are currently using Kerberos for the 2010 TCP Clients. Exchange 2010 and 2016 cannot share the Alternate Service Account (ASA) credential, so it’s imperative you plan to remove the SPN from Exchange 2010 prior to deploying to 2016. Refer to the following blog, specifically noting step #4.  To verify if you have Kerberos enabled for 2010, run this cmdlet on one of the Exchange 2010 servers: 
Get-ClientAccessServer CAS1 -IncludeAlternateServiceAccountCredentialStatus | FL *Alt*  

The output will show the ASA that is assigned, if you are using Kerberos.  

Output: Name: CAS-1 

AlternateServiceAccountConfiguration : Latest: 1/12/2016 10:19:22 AM, Contoso\EXCH2010ASA$ 

If this there is not an ASA assigned, you can implement Kerberos for your 2016 internal clients by following this document. 

POP3 and IMAP clients 

Verify if you have any clients running POP3 or IMAP. Remember that these front and backend services are off by default. Ideally, from a security perspective, they should only be enabled if still absolutely needed. In a best-case scenario, we’d like to keep any attack vector into the Exchange environment closed. If you do need to enable the services, still try to disable POP and IMAP access at the mailbox level moving forward. 

Unified Messaging 

This post will not cover UM however, if your organization uses UM, its recommended that you review the steps in Upgrade Exchange 2010 UM to Exchange 2013 UM 

Deploy 

When you are ready to deploy, create your own document or spreadsheet and add additional items that fit within your organizations configuration needs.  

Prepare Active Directory 

Please refer to this document for details regarding Preparing AD and domains. Your account needs to be a member of the Schema Admins and Enterprise Admins security groups to run /PrepareSchema and your account needs to be a member of the Enterprise Admins security group to run /PrepareAD 

Examples:  
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema 

E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD  

If you choose to not do this as a separate step prior to install, the installer will try to perform the same tasks using the logged-on credentials. If you choose to do this from a non-Exchange server, ensure it has the appropriate tools such as the RSAT ADDS tools and .net 4.7.2. 

If your forest consists of multiple domains (/PrepareAD will handle this if you only have one domain), you will need to prepare them  

Examples:  
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareDomain: 
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains 

Install Windows Server 

This document does not cover installing Windows Server however, we encourage that all Server updates be installed. Please use the Exchange prerequisites to plan the OS installation.  

Pre-requisite Script 

Please review the optional pre-requisite script and consider using this to configure the servers for Exchange 2016. This script is provided “as is” and is not supported. Please test in your environment before using this script.  

.NET 

The pre-requisite script should ask you to install the appropriate .NET version, however its worth calling out that the version installed should be listed as supported version in the Exchange Server supportability matrix. 

Configure the 2010 Databases for Default OAB 

If the Exchange 2010 databases are not configured for a default OAB when Exchange 2016 is installed, the new default OAB will be created on an Exchange 2016 server, causing the Exchange 2010 mailboxes to incur a full download of the OAB. For more information, see the Exchange Deployment Assistant under the section “Configure default offline address book 

Configure Outlook Anywhere on all Exchange 2010 CAS  

The recommended protocol is MAPI/HTTP; however, if you plan to stay in coexistence with 2010 mailboxes, you will need to enable Outlook Anywhere (OA) for client proxying from 2016 to 2010 to work correctly. Each 2010 CAS should have OA enabled with NTLM for the “Client Authentication Method” parameter. This will allow the 2016 servers to proxy connections to 2010 mailboxes to without authentication prompts.  

Exchange Active Directory Deployment Site 

Consider installing Exchange into an Active Directory deployment site to avoid internal domain joined clients from looking up the SCP on Exchange 2016 servers.  

Install Mailbox Role 

To install the Mailbox role, you can use the GUI setup or the available local shell (CMD / PowerShell). For the most recent build of Exchange, please use this link Please be sure to review the section below related to “Configure Anti-Virus Exclusions 

Configure Autodiscover SCP for Internal Clients  

If you chose to not install Exchange in an Active Directory deployment site discussed under the “Plan” section, follow these steps instead 

When you install Exchange, the server wants to answer incoming Service Connection Point (SCP) requests for your internal clients. To keep the clients from accessing the newly installed servers, you should point the SCP either to the 2010 CAS or set to a NULL value. It’s easier to point the SCP to 2010 namespace so you don’t have to change it again. This assumes that you previously set the 2010 SCP to a load-balanced namespace. If the SCP is still pointed to the server FQDN, theit is recommended setting the value to NULL; you can change this to point to Exchange 2016 later. (This is a step that is noted later in this blog.) 

Determine where the SCP is pointed using this example:  

Get-ClientAccessServer -Identity CAS2010| fl *auto* 

To point to the existing 2010 namespace:  

Set-ClientAccessServer -Identity <Exchange2016> -AutoDiscoverServiceInternalURI https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml  

Null the SCP on 2016 

Set-ClientAccessServer -Identity <Exchange2016>-AutoDiscoverServiceInternalUri $Null 

Run the Exchange Health Checker 

The health checker script will identify potential critical issues and it’s recommended to run the script, then thoroughly review the findings. Implement all recommendations called out in each warning to avoid future outages or performance issues. Consider running this after placing an increased load on the servers or potentially after patching. Also consider reviewing this document for additional best practices.  

Configure Exchange 2016 URL’s 

If you have followed the guidance of the Exchange Deployment Assistantyou may already have a table created similar to the one in that guide to document your URL settings.  

Configure Exchange 2016 Certificates 

Depending on your plan, you may be using existing certificates or may be creating new onesThe deployment assistant covers steps you can use in the EAC or the EMS using this guidance. 

Create DAGs 

At this point you can create your DAGs following the guidance hereThere is no official stance on whether you should utilize IP-less functionality, but the usual deciding point is whether or not you want to use the Failover Cluster Manager to review your cluster health as this isn’t possible when using an IP-less DAG. Please note you should only be making DAG changes through Exchange or you run the risk of leaving your DAG in an inconsistent state. 

Configure Anti-Virus Exclusions 

Note that it’s our best practice is to create DAGs and add database copies before installing A/V, then ensure the exclusions are added per our documentation. If you choose to install A/V first there can be issues unless all exclusions are added and confirmed.  

Running file-level A/V on the server is common practice, but if they aren't configured correctly, Windows antivirus programs can cause problems in Exchange Server. It’s a common support call where A/V scanning directories, files and processes needed by Exchange can cause issues. Please exclude all of the items for Exchange and IIS, discussed here and for Windows OS, discussed here 

Configure Connectors  

Configure any send/receive connectors used in your organization to allow Exchange 2016 to accept and send mail. 

Migrate 

Now that we have completed the deploy, the next steps are to migrate. 

Create a Test Mailbox on 2016 

It’s recommended to create a non-administrator test mailbox and verify connectivity to the protocols your organization uses. Test Outlook, free/busy, OWA, ActiveSync, out of office, and any other applications used.  

Test the 2010 Mailbox   

Be sure to test and verify that the 2010 mailboxes can connect through Exchange 2016 by creating a HOSTS file entry on the client machine.  This HOSTS file should have the IP address of a 2016 server (192.168.1.5), using the load balanced namespaceCheck the “Connection Status” window to verify that the proxy server column is populated, and the connection is HTTP or HTTPS.   

Example: 

The Hosts file is in C:\Windows\System32\Drivers\etc directory.  Example host entry that would point the client to 192.168.1.5 for any calls going out to Mail.Contoso.com 

192.168.1.5    Mail.Contoso.com 

Reconfigure SCP to 2016 Namespace 

Earlier in this document, it was recommended to deploy Exchange 2016 in a separate AD site. If Exchange 2016 was installed in the existing site, and the SCwas moved to 2010 or NULL value, it should be updatedDepending on that modification, you would now set the SCP to point to either the internal FQDN of the 2016 server or the load balanced namespace.  

Move Arbitration Mailboxes 

It’s necessary to move the system/arbitration mailboxes from Exchange 2010 to 2016 for many things to work properly, including the Exchange Admin Center (EAC). To verify which system mailboxes are on 2010, run this cmdlet: Get-Mailbox -Arbitration | FT Name, Database -AutoSize  

For additional details please see this document.   

DNS & Load Balancing, MX Record Changes 

Once you have verified that clients are connecting, you can plan to move DNS from 2010 to point to 2016, modify load balanced pools, update MX records, firewall rules, NAT assignments, etc.  

Run Hybrid Configuration Wizard 

If in hybrid, run the newest version of the HCW and input the servers that that will be handling hybrid functions.  

Move Administrator Mailboxes 

Use either EAC or the Exchange Management Shell (EMS) to move the administrator mailboxes to 2016 or open the EAC by browsing to the URL of your Exchange 2016 Mailbox server.  

Examples: 

ECP: https://Ex2016/ecp?ExchClientVer=15  

EMS: New-MoveRequest -Identity 'tony@contoso.com' -TargetDatabase "DB01" 

Move Mailboxes 

Please refer to Managing mailbox moves for details. Please note that in some cases you may need to restart the Autodiscover Application Pool to avoid connectivity issues as discussed here. It should be noted that when moving mailboxes you should take into account the increased log generation that will occur on both the source and target databases, and plan this to coincide with when your backups run to help manage your free space for your databases, otherwise you risk the databases dismounting during/after the move operation. 

Migrate Public Folders 

The guidance for migration of public folders is here 

Remove legacy Exchange versions 

After you've finished deploying and configuring Exchange 2016 in your organization, you may be ready to remove previous versions of Exchange. For more information about removing legacy Exchange servers, see Modify or Remove Exchange 2010. 

I wanted to thank the following people for reviewing and making suggestions to this blog post: Chad Solarz, Paul Newell, Josh Hagen, David Paulson, Nino Bilic, Rob Whaley, Bhalchandra Atre, Greg Taylor and Mike Brown.

Charlene Stephens

Updated Apr 27, 2020
Version 4.0
  • Stellar article!  A sweet all in one for us to pivot from over the next while that Exchange 2010 makes its grand exit.

  • Great article. I think a couple of things you may want to add that I see it most migrations are:

     

    • For known 3rd-party applications that integrate with Exchange, consider updating their HOSTS file to make sure they will work with a 2016 front-end server. If you have a test environment for those 3rd-party apps, even better. 
    • Consider using Log Parser Studio (insert EHLO blog post here) to help identify unknown 3rd-party apps, or, other integrations that tie into EWS.
    • During decommission, parse the SMTP logs to identify any devices or applications submitting mail that may be doing direct IP (rather than via a VIP or FQDN).
    • Parsing the IIS logs once you have migrated all users doesn't hurt either. May have apps doing direct EWS calls to an IP.
  • ForumUser's avatar
    ForumUser
    Brass Contributor

    Hello thank you for this.  However I would not spend a lot of time and resources migrating to 2016 with 2019 being almost a year old.  I am really hoping to see either an article like this, or even better the Deployment Assistance be updated to include Exchange 2019.  Do you know if your team is making progress on that?

     

    Thanks!

  • SuperCocoLoco's avatar
    SuperCocoLoco
    Copper Contributor

    I'm impressive about the lack of support for DKIM encryption in Exchange Server 2016-2019 On-Premises.

    It is inadmissible and a shame that not having DKIM encrypt support in 2019. Actually the new Microsoft no longer has the capacity or quality to develop products. He has lost his way and does not even know what he is doing. Only Cloud and Mobile, only, not first.