As many of you know from the previous blog post, Exchange 2010 End of Support Is Coming and the soon-to-be-a-classic sequel post Microsoft Extending End of Support for Exchange Server 2010 to October 13th, 2020 time is up for Exchange Server 2010 and you should plan to migrate to Office 365.
We have had some requests for guidance on moving from on-premises Exchange 2010 to 2016. If you have a hybrid configuration, mailboxes, or public folders on Exchange 2010, you should prepare to install Exchange 2016 before October 13, 2020.
This blog post is intended to provide best practices on preparing and planning your migration. It’s important to note that due to so many different types of deployments and configurations, it’s difficult to cover all scenarios, but many of the common steps are included. With that said, please plan your migration carefully and include all aspects of the environment. Some of the steps below may or may not apply to your situation (we will err on the side of over-communicating details.)
Please note that there is no direct migration path from Exchange 2010 to Exchange 2019, so that will not be covered in this post.
Here are a few links that can help you understand the major moving parts and might be useful throughout the migration:
Planning is the most important step in this process. We recommend using the Exchange Deployment Assistant to help guide you in planning your migration. Collect information and use the table in the guide to annotate details about the organization.
Using our guidance like Plan for High Availability and Site Resilience documentation will help you decide how available is available enough. Consider all your failure domains, such as disk, network, entire node, virtualization loss, entire datacenter failure, etc. How many of those failures can your design survive? Does your environment today have any pain points which new design can address?
When you have a plan in place, what are the associated costs for each component? Consider licensing, rack space, hardware, disk, network, bandwidth, backups or 3rd party app support.
Review the following links to plan server sizing, virtualization and high availability:
Certificates and Namespace
Determine your migration plan for certificates or determine if new 3rd party certificates are needed. If you’ve reviewed the earlier referenced namespace planning link you should be aware of the requirements here. Seeing that this is a good opportunity, we have seen see some of our customers change their namespaces (for example, changing the old namespace of remote.contoso.com to outlook.contoso.com). If split-brain DNS is not implemented, this would be a good time to plan moving from outlook.contoso.local to outlook.constoso.com. Another consideration is regarding ambiguous URLs which can impact the clients if the CAS Array Object in 2010 is the same name as external URLs.
Exchange Active Directory Deployment Site
Consider installing Exchange into an Active Directory deployment site to avoid the internal domain joined clients from looking up the SCP on Exchange 2016 servers.
Please consider disabling TLS 1.0 and 1.1 in your organization while the migration planning is underway. Be cautious and read all the guidance carefully since doing this improperly can impact many different functions.
Office Online Server
There are two options for configuring your organization for hybrid:
Hybrid Configuration Wizard (HCW) is best for complex hybrid deployment that requires that need multi-forest, sharing policies, etc.
You can use the Modern Hybrid Agent (also sometimes called MHA) for simpler deployments if you only need free/busy and Mailbox Replication Service (MRS) to migrate mailboxes to O365. Note that these types of deployments will not support things like Hybrid Modern Authentication (HMA) for on-premises, cross-premises teams calendaring, and cross-prem message tracking. Note that the Modern Hybrid Agent is designed for organizations that don’t already have hybrid in place. If your existing 2010 organization is already configured for ‘classic full hybrid’ then it is advisable to continue down this path.
There are some items that should be observed with the two modes of the HCW you can run: Full or Minimal - HCW Exchange Team Blog
Legacy public folders can be accessed by Exchange 2016 mailboxes via Outlook clients only (not OWA) due to backwards compatibility, but Exchange 2010 mailboxes cannot access the new modern public folders once they are hosted on 2016. This becomes an “all or nothing” kind of configuration. Your users are either using 2010 public folders, or the new modern PFs in 2016. For this reason, all user mailboxes should be moved to 2016 before moving any PF data. Coexistence with legacy public folders can be used until you have migrated all the mailboxes; however, that configuration requires making the public folders discoverable by AutoDiscover, and requires several steps. Please review this link and Notes from the field and consider your options.
Kerberos with Internal Outlook Clients
Verify if you are currently using Kerberos for the 2010 TCP Clients. Exchange 2010 and 2016 cannot share the Alternate Service Account (ASA) credential, so it’s imperative you plan to remove the SPN from Exchange 2010 prior to deploying to 2016. Refer to the following blog, specifically noting step #4. To verify if you have Kerberos enabled for 2010, run this cmdlet on one of the Exchange 2010 servers:
Get-ClientAccessServer CAS1 -IncludeAlternateServiceAccountCredentialStatus | FL *Alt*
The output will show the ASA that is assigned, if you are using Kerberos.
Output: Name: CAS-1
AlternateServiceAccountConfiguration : Latest: 1/12/2016 10:19:22 AM, Contoso\EXCH2010ASA$
If this there is not an ASA assigned, you can implement Kerberos for your 2016 internal clients by following this document.
POP3 and IMAP clients
Verify if you have any clients running POP3 or IMAP. Remember that these front and backend services are off by default. Ideally, from a security perspective, they should only be enabled if still absolutely needed. In a best-case scenario, we’d like to keep any attack vector into the Exchange environment closed. If you do need to enable the services, still try to disable POP and IMAP access at the mailbox level moving forward.
This post will not cover UM however, if your organization uses UM, its recommended that you review the steps in Upgrade Exchange 2010 UM to Exchange 2013 UM.
When you are ready to deploy, create your own document or spreadsheet and add additional items that fit within your organization’s configuration needs.
Prepare Active Directory
Please refer to this document for details regarding Preparing AD and domains. Your account needs to be a member of the Schema Admins and Enterprise Admins security groups to run /PrepareSchema and your account needs to be a member of the Enterprise Admins security group to run /PrepareAD.
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD
If you choose to not do this as a separate step prior to install, the installer will try to perform the same tasks using the logged-on credentials. If you choose to do this from a non-Exchange server, ensure it has the appropriate tools such as the RSAT ADDS tools and .net 4.7.2.
If your forest consists of multiple domains (/PrepareAD will handle this if you only have one domain), you will need to prepare them.
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareDomain:
E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains
Install Windows Server
This document does not cover installing Windows Server however, we encourage that all Server updates be installed. Please use the Exchange prerequisites to plan the OS installation.
Please review the optional pre-requisite script and consider using this to configure the servers for Exchange 2016. This script is provided “as is” and is not supported. Please test in your environment before using this script.
The pre-requisite script should ask you to install the appropriate .NET version, however its worth calling out that the version installed should be listed as supported version in the Exchange Server supportability matrix.
Configure the 2010 Databases for Default OAB
If the Exchange 2010 databases are not configured for a default OAB when Exchange 2016 is installed, the new default OAB will be created on an Exchange 2016 server, causing the Exchange 2010 mailboxes to incur a full download of the OAB. For more information, see the Exchange Deployment Assistant under the section “Configure default offline address book”
Configure Outlook Anywhere on all Exchange 2010 CAS
The recommended protocol is MAPI/HTTP; however, if you plan to stay in coexistence with 2010 mailboxes, you will need to enable Outlook Anywhere (OA) for client proxying from 2016 to 2010 to work correctly. Each 2010 CAS should have OA enabled with NTLM for the “Client Authentication Method” parameter. This will allow the 2016 servers to proxy connections to 2010 mailboxes to without authentication prompts.
Exchange Active Directory Deployment Site
Consider installing Exchange into an Active Directory deployment site to avoid internal domain joined clients from looking up the SCP on Exchange 2016 servers.
Install Mailbox Role
To install the Mailbox role, you can use the GUI setup or the available local shell (CMD / PowerShell). For the most recent build of Exchange, please use this link. Please be sure to review the section below related to “Configure Anti-Virus Exclusions”
Configure Autodiscover SCP for Internal Clients
If you chose to not install Exchange in an Active Directory deployment site discussed under the “Plan” section, follow these steps instead.
When you install Exchange, the server wants to answer incoming Service Connection Point (SCP) requests for your internal clients. To keep the clients from accessing the newly installed servers, you should point the SCP either to the 2010 CAS or set to a NULL value. It’s easier to point the SCP to 2010 namespace so you don’t have to change it again. This assumes that you previously set the 2010 SCP to a load-balanced namespace. If the SCP is still pointed to the server FQDN, then it is recommended setting the value to NULL; you can change this to point to Exchange 2016 later. (This is a step that is noted later in this blog.)
Determine where the SCP is pointed using this example:
Get-ClientAccessServer -Identity CAS2010| fl *auto*
To point to the existing 2010 namespace:
Set-ClientAccessServer -Identity <Exchange2016> -AutoDiscoverServiceInternalURI https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
Null the SCP on 2016:
Set-ClientAccessServer -Identity <Exchange2016>-AutoDiscoverServiceInternalUri $Null
Run the Exchange Health Checker
The health checker script will identify potential critical issues and it’s recommended to run the script, then thoroughly review the findings. Implement all recommendations called out in each warning to avoid future outages or performance issues. Consider running this after placing an increased load on the servers or potentially after patching. Also consider reviewing this document for additional best practices.
Configure Exchange 2016 URL’s
If you have followed the guidance of the Exchange Deployment Assistant, you may already have a table created similar to the one in that guide to document your URL settings.
Configure Exchange 2016 Certificates
Depending on your plan, you may be using existing certificates or may be creating new ones. The deployment assistant covers steps you can use in the EAC or the EMS using this guidance.
At this point you can create your DAGs following the guidance here. There is no official stance on whether you should utilize IP-less functionality, but the usual deciding point is whether or not you want to use the Failover Cluster Manager to review your cluster health as this isn’t possible when using an IP-less DAG. Please note you should only be making DAG changes through Exchange or you run the risk of leaving your DAG in an inconsistent state.
Configure Anti-Virus Exclusions
Note that it’s our best practice is to create DAGs and add database copies before installing A/V, then ensure the exclusions are added per our documentation. If you choose to install A/V first there can be issues unless all exclusions are added and confirmed.
Running file-level A/V on the server is common practice, but if they aren't configured correctly, Windows antivirus programs can cause problems in Exchange Server. It’s a common support call where A/V scanning directories, files and processes needed by Exchange can cause issues. Please exclude all of the items for Exchange and IIS, discussed here and for Windows OS, discussed here.
Configure any send/receive connectors used in your organization to allow Exchange 2016 to accept and send mail.
Now that we have completed the deploy, the next steps are to migrate.
Create a Test Mailbox on 2016
It’s recommended to create a non-administrator test mailbox and verify connectivity to the protocols your organization uses. Test Outlook, free/busy, OWA, ActiveSync, out of office, and any other applications used.
Test the 2010 Mailbox
Be sure to test and verify that the 2010 mailboxes can connect through Exchange 2016 by creating a HOSTS file entry on the client machine. This HOSTS file should have the IP address of a 2016 server (192.168.1.5), using the load balanced namespace. Check the “Connection Status” window to verify that the proxy server column is populated, and the connection is HTTP or HTTPS.
The Hosts file is in C:\Windows\System32\Drivers\etc directory. Example host entry that would point the client to 192.168.1.5 for any calls going out to Mail.Contoso.com:
Reconfigure SCP to 2016 Namespace
Earlier in this document, it was recommended to deploy Exchange 2016 in a separate AD site. If Exchange 2016 was installed in the existing site, and the SCP was moved to 2010 or NULL value, it should be updated. Depending on that modification, you would now set the SCP to point to either the internal FQDN of the 2016 server or the load balanced namespace.
Move Arbitration Mailboxes
It’s necessary to move the system/arbitration mailboxes from Exchange 2010 to 2016 for many things to work properly, including the Exchange Admin Center (EAC). To verify which system mailboxes are on 2010, run this cmdlet: Get-Mailbox -Arbitration | FT Name, Database -AutoSize
For additional details please see this document.
DNS & Load Balancing, MX Record Changes
Once you have verified that clients are connecting, you can plan to move DNS from 2010 to point to 2016, modify load balanced pools, update MX records, firewall rules, NAT assignments, etc.
Run Hybrid Configuration Wizard
If in hybrid, run the newest version of the HCW and input the servers that that will be handling hybrid functions.
Move Administrator Mailboxes
Use either EAC or the Exchange Management Shell (EMS) to move the administrator mailboxes to 2016 or open the EAC by browsing to the URL of your Exchange 2016 Mailbox server.
EMS: New-MoveRequest -Identity 'firstname.lastname@example.org' -TargetDatabase "DB01"
Please refer to Managing mailbox moves for details. Please note that in some cases you may need to restart the Autodiscover Application Pool to avoid connectivity issues as discussed here. It should be noted that when moving mailboxes you should take into account the increased log generation that will occur on both the source and target databases, and plan this to coincide with when your backups run to help manage your free space for your databases, otherwise you risk the databases dismounting during/after the move operation.
Migrate Public Folders
The guidance for migration of public folders is here.
Remove legacy Exchange versions
After you've finished deploying and configuring Exchange 2016 in your organization, you may be ready to remove previous versions of Exchange. For more information about removing legacy Exchange servers, see Modify or Remove Exchange 2010.
I wanted to thank the following people for reviewing and making suggestions to this blog post: Chad Solarz, Paul Newell, Josh Hagen, David Paulson, Nino Bilic, Rob Whaley, Bhalchandra Atre, Greg Taylor and Mike Brown.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.