none
exchange 2007 and 2013 coexistence

    Question

  • hello all, i recently just installed exchange 2013 in my organization with 2007 still active. I would like to run a proper coexistence platform but seem to be having a few certificate issues. Some of my end users throughout the day will receive a message that says "information you exchange with this site cannot be viewed or changed by others. however, there is a problem with the site's security certificate." The users are still able to send and receive but this message pops up throughout the day. My new exchange 2013 will function as the mailbox and client access server but my existing exchange 2007 setup also acts as the client access, hub transport and mailbox server roles. so roles are conflicting.

    How can i get things properly working so that this certificate issue doesn't pop up anymore. I am not ready quite to export the certificate from 2007 into 2013 just yet. I am looking to possibly disabling the mailbox/client access services on my new exchange 2013 server with it affecting anything.

    suggestions?

    Tuesday, July 30, 2013 1:56 PM

Answers

  • I think the best thing you can do at this stage is read the TechNet article here:

    http://technet.microsoft.com/en-us/library/jj898581(v=exchg.150).aspx

    You need to create a legacy namespace, switch the client access layer to Exchange 2013 and this will require a public certificate on the E2013 CAS. 

    Then you need to switch the vDirs on 2007 to the legacy namespace. You also need to ensure OA settings are correct on legacy CAS.

    Your clients are probably hitting the 2013 CAS server for Autodiscover and the self signed certificate is causing the popups.

    Although SCP lookup order is based on timestamp, I've seen that clients could potentially use SCP records that have been added very recently. Thus the reason I ensure my certificates are ready prior to deploying my first 2013 server.

    Michael

    • Marked as answer by adrianbald Tuesday, July 30, 2013 5:27 PM
    Tuesday, July 30, 2013 5:15 PM

All replies

  • I think the best thing you can do at this stage is read the TechNet article here:

    http://technet.microsoft.com/en-us/library/jj898581(v=exchg.150).aspx

    You need to create a legacy namespace, switch the client access layer to Exchange 2013 and this will require a public certificate on the E2013 CAS. 

    Then you need to switch the vDirs on 2007 to the legacy namespace. You also need to ensure OA settings are correct on legacy CAS.

    Your clients are probably hitting the 2013 CAS server for Autodiscover and the self signed certificate is causing the popups.

    Although SCP lookup order is based on timestamp, I've seen that clients could potentially use SCP records that have been added very recently. Thus the reason I ensure my certificates are ready prior to deploying my first 2013 server.

    Michael

    • Marked as answer by adrianbald Tuesday, July 30, 2013 5:27 PM
    Tuesday, July 30, 2013 5:15 PM
  • thanks so much. i just assumed that with both versions installed it would properly find the role with the certificate installed and would route through that. 
    Tuesday, July 30, 2013 5:28 PM
  • question - isn't there a way to point all transportation from EX2013 server to EX2007 without having to apply a certificate just yet?

    I feel like there has to be a way to point the client access server role and mailbox role over to our existing cashub server so that end-users don't receive that invalid certificate pop up anymore.

    Wednesday, July 31, 2013 2:47 PM
  • i was able to figure out the problem. for anyone with similar issues the PS command i used below essentially turned off the autodiscovery so that end users would not hit the address which in turn would throw the certificate invalid popup.

    Set-ClientAccessServer -Identity cashubserver -AutoDiscoverServiceInternalUri $NULL

    once exchange 2013 is all configured you can turn it on again

    Set-ClientAccessServer -AutoDiscoverServiceInternalUri: https://cashubserver.domain.com/Autodiscover/Autodiscover.xml

    Wednesday, July 31, 2013 6:14 PM
  • You can change the AutodiscoverServiceInternalURI for each CAS by running get-clientaccessServer ex2013|set-clientaccessserver -autodiscoverserviceinternaluri https://autodiscover.domain.com/autodiscover/autodiscover.xml

    where the URI depends on what you currently have running in your environment. The URI usually points to a loadbalanced pool of CAS where the A record points to the Virtual IP on the hardware loadbalancer.

    Hope that makes sense.

    Michael

    Thursday, August 01, 2013 6:15 AM