Exchange 2003 to Exchange 2010 Step by Step Deployment Guidance
Step 1: Verify prerequisites
I recommend that you run the Exchange Pre-Deployment Analyzer (ExPDA) to perform an
overall topology readiness scan of your environment. ExPDA provides a detailed report that will
alert you if there are any issues within your organization before you install Exchange 2010. If
ExPDA reports any warnings or errors, take care of those issues before you proceed any further.
To get ExPDA from the Microsoft Download Center, see: Exchange Pre-Deployment Analyzer
Learn more at: Understanding Exchange 2003 Upgrade Prerequisites
To successfully install Exchange 2010, the following components are required.
Directory Servers




Schema master The latest 32-bit or 64-bit edition of the Windows Server 2003 Service
Pack (SP) 1 Standard or Enterprise operating system or later or the latest 32-bit or 64-bit
edition of the Windows Server 2008 Standard or Enterprise operating system or later.
Global catalog server In every Active Directory site where you plan to install
Exchange 2010, you must have at least one global catalog server that is either the latest
32-bit or 64-bit edition of Windows Server 2003 SP1 Standard or Enterprise, the latest
32-bit or 64-bit edition of Windows Server 2008 Standard or Enterprise, or the latest 32bit or 64-bit edition of Windows Server 2008 R2 Standard or Enterprise.
Active Directory Forest The Active Directory forest must be Windows Server 2003
forest functional mode.
Domain Controller You must have the latest 32-bit or 64-bit Windows Server 2003
Standard Edition or Enterprise Edition with SP1 or later operating system or the latest 32bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise RTM or later
operating system or the Windows Server 2008 R2 Standard or Enterprise RTM or later
operating system or the Windows Server 2008 Datacenter or Windows Server 2008 R2
Datacenter.
Operating Systems
One of the following operating systems is required:




64-bit edition of Windows Server 2008 Standard Service Pack 2
64-bit edition of Windows Server 2008 Enterprise Service Pack 2
64-bit edition of Windows Server 2008 Standard R2
64-bit edition of Windows Server 2008 Enterprise R2
Operating System Components


.NET Framework 3.5 SP1
Internet Information Services (IIS)
Windows Management Framework


Windows PowerShell V2.0
Windows Remote Management V2.0
Step 2: Install the Client Access server role
The Client Access role is one of five server roles in Exchange 2010. It's also typically the first
server role that is installed. The Client Access role enables access to mailbox data through a
variety of clients, such as Microsoft Office Outlook, Outlook Anywhere, Outlook Web App,
POP3, and IMAP4, and it also hosts Exchange Web services, such as the Autodiscover service
and the Availability service.
Learn more at: Understanding the Client Access Server Role
How do I do this?
You'll use the Exchange Server 2010 Setup wizard to install the Client Access role.
Important:
When you install the first Exchange 2010 server role, Exchange 2010 prepares your Windows
schema and forest before installing the server role. The amount of time that forest preparation
and replication takes depends on your Active Directory site topology.
1. Insert the Exchange 2010 DVD into the DVD drive. When the AutoPlay dialog appears,
click Run Setup.exe under Install or run program. If the AutoPlay dialog doesn't
appear, navigate to the root of the DVD and double-click Setup.exe. Alternatively,
browse to the location of your Exchange 2010 installation files and double-click
Setup.exe.
2. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the
software listed for Step 1: Install .NET Framework 3.5 SP1 and Step 2: Install
Windows PowerShell v2 was installed with the Exchange 2010 prerequisites. If these
prerequisites aren't already installed, click the appropriate step to install them.
3. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft
Exchange.
4. On the Introduction page, click Next.
5. On the License Agreement page, review the software license terms. If you agree to the
terms, select I accept the terms in the license agreement, and click Next.
6. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting
feature, and click Next.
7. On the Installation Type page, select Custom Exchange Server Installation. For
Exchange 2010 SP2, you can select to automatically install all required Windows roles
and features for this server. If you want to change the installation path for Exchange
2010, click Browse, locate the appropriate folder in the folder tree, and then click OK.
Click Next.
8. On the Server Role Selection page, select the Client Access Role, (or other server roles
you want to install) and click Next. The Management Tools option, which installs the
Exchange Management Console and the Exchange Management Shell, will also be
selected and installed.
9. Use the Configure Client Access Server external domain page to configure an external
fully qualified domain name (FQDN). This is the FQDN that you give to Outlook Web
App, Outlook Anywhere, and Exchange ActiveSync users to connect to Exchange 2010.
Select the check box, enter your FQDN, and then click Next.
10. On the Customer Experience Improvement Program page, optionally join in the
Exchange Customer Experience Improvement Program (CEIP). The CEIP collects
anonymous information about how you use Exchange 2010 and any problems that you
encounter. To join the CEIP, select Join the Customer Experience Improvement
Program, choose the industry that best represents your organization, and then click Next.
11. On the Readiness Checks page, review the Summary to determine if the system and
server are ready for the Client Access role to be installed. If all prerequisite checks
completed successfully, click Install. If any of the prerequisite checks failed, you must
resolve the displayed error before you can proceed with installing Exchange. In many
cases, you don't need to exit Setup while you're fixing issues. After you resolve an error,
click Retry to run the prerequisite check again. Also, be sure to review any warnings that
are reported.
12. The Progress page displays the progress and elapsed time for each phase of the
installation. As each phase ends, it's marked completed and the next phase proceeds. If
any errors are encountered, the phase will end as incomplete and unsuccessful. If that
happens, you must exit Setup, resolve any errors, and then restart Setup.
13. When all phases have finished, the Completion page displays. Review the results, and
verify that each phase completed successfully. Clear the check box for Finalize this
installation using the Exchange Management Console, and then click Finish to exit
Setup.
14. When you're returned to the Setup welcome screen, click Close. On the Confirm Exit
prompt, click Yes.
15. Restart the computer to complete the installation of the Client Access role.
Step 3: Add digital certificates on the Client
Access server
For secure external access to Exchange, you'll need a digital certificate. This certificate will
include an exportable private key in X.509 format (DER encoded binary or Base-64 encoded).
We recommend you procure, import, and enable a Subject Alternative Name (SAN) certificate
that contains the names for the current namespace, a legacy namespace, and the Autodiscover
namespace.
The names you need to include in your Exchange certificate are the fully qualified domain names
(FQDNs) used by client applications to connect to Exchange.
There are three steps to adding certificates to your Client Access server(s):
1. If you don't already have a digital certificate, you can use the New Certificate Request
Wizard in Exchange 2010 to generate a certificate request file, which you can then
submit to your selected Certification Authority.
2. After you have the digital certificate from your Certification Authority, you then
complete the certificate request process by importing the certificate into your Client
Access server.
3. After the certificate has been imported, you assign one or more client access services to
it.
Before proceeding with these steps, we recommend that you review this topic: Understanding
Digital Certificates and SSL
In addition, the configuration settings used in the Deployment Assistant assumes that you’re
using split DNS for client access. Learn more at: Understanding DNS Requirements
Finally, if your Exchange 2003 server isn’t currently configured to use SSL for client access,
you’ll need to enable SSL to secure the communications between the client messaging
applications and the Exchange front-end server. You’ll also need to install the SSL certificate on
the Exchange 2003 front-end server. Learn more at: Exchange Server 2003 Client Access Guide.
How do I create a certificate request file for a new certificate?
You can use the New Exchange Certificate wizard to create your certificate request.
1. In the Console tree, click Server Configuration.
2. From the Actions pane, click New Exchange Certificate to open the New Exchange
Certificate wizard.
3. On the Introduction page, enter a friendly name for the certificate (for example,
Contoso.com Exchange certificate) and then click Next.
4. On the Domain Scope page, if you plan on using a wildcard certificate, check the box for
Enable wildcard certificate, enter the root portion of your domain (for example
contoso.com or *.contoso.com), and then click Next. If you're not using a wildcard
certificate, just click Next.
Note:
It's a best practice to not use wildcard certificates because they represent a potential
security risk. Like a SAN certificate, a wildcard certificate (for example, *.contoso.com)
can support multiple names. There are security implications to consider because the
certificate can be used for any sub-domain, including those outside the control of the
actual domain owner. A more secure alternative is to list each of the required domains as
Subject Alternative Names in the certificate. By default, this approach is used when
certificate requests are generated by Exchange.
5. On the Exchange Configuration page, expand and configure each area as follows:
a) Federated Sharing Federated Sharing allows you to enable users to share
information with recipients in external federated organizations by creating
organization relationships between two Exchange 2010 organizations, or using a
b)
c)
d)
e)
f)
g)
sharing policy to allow users to create sharing relationships on an individual basis.
If you plan on using this feature, expand Federated Sharing and select the
Public certificate check box.
Client Access server (Outlook Web App) Expand this option and select the
check box(es) that are appropriate for your Outlook Web App usage (Intranet
and/or Internet). If you're using Outlook Web App internally, then in the Domain
name you use to access Outlook Web App internally field, remove the existing
server names and enter the FQDN you configured for external access to the Client
Access server during Setup of the Client Access server (for example,
mail.contoso.com). This is the same FQDN that is listed in the domain name field
for Outlook Web App on the Internet.
Client Access server (Exchange ActiveSync) Exchange ActiveSync should
already be selected and the domain name field should be configured with the
same FQDN used for Outlook Web App.
Client Access server (Web Services, Outlook Anywhere, and
Autodiscover) Exchange Web Services, Outlook Anywhere, and Autodiscover
on the Internet should already be selected. Outlook Anywhere should already be
configured to use two FQDNs: one that is the same FQDN used by Outlook Web
App (for example, mail.contoso.com) and one that is the root domain for that
FQDN (for example, contoso.com). Autodiscover should already be configured to
use a long URL, which should automatically be configured as
autodiscover.rootdomain (for example, autodiscover.contoso.com).
Client Access server (POP/IMAP) If you plan on using secure POP or secure
IMAP internally or over the Internet, expand this option and select the appropriate
check box. In the domain name field for each protocol, remove the individual
server names and enter the same FQDN you're using for Outlook Web App.
Unified Messaging server If you plan on using Unified Messaging (UM)
features, you can use a certificate that is self-signed by an Exchange 2010 UM
server (which is the default option). If you're integrating UM with Office
Communications Server (OCS), you'll need to use a public certificate. We
recommend using a separate certificate for UM and OCS integration.
Hub Transport server Hub Transport servers can use certificates to secure
Internet mail, as well as POP and IMAP client submission. If you plan on using
mutual TLS or if you're using POP or IMAP clients and want to secure their
SMTP submissions, select the appropriate check box and in the FQDN field, enter
the same FQDN you're using for Outlook Web App.
h) Legacy Exchange Server This option is used to add the legacy namespace to the
certificate, which will be used only during the period of coexistence between Exchange
2010 and the legacy version(s). Expand this option, select the Use legacy domains check
box, and in the FQDN field, enter the FQDN you are using for your legacy namespace.
6. On the Certificate Domains page, review the list of domains that will be added to the
certificate. If the names are correct, click Next. If any names are missing or incorrect,
you can click Add to add missing names, or select a name and click Edit to modify the
name. Click Next.
7. On the Organization and Location page, fill in the Organization, Organization unit,
Location, Country/region, City/locality, and State/province fields. Click Browse and
browse to the location where you want the certificate request file created. In the File
name field, enter a name for the request file (for example, Exchange Certificate
Request.req) and click Save. Click Next.
8. On the Certificate Configuration page, review the configuration summary. If any
changes need to be made, click Back, and make the necessary changes. If everything is
correct, click New to generate the certificate request file.
9. On the Completion page, review the output of the wizard. Click Finish to close the
wizard.
10. Transmit the certificate request file to your selected Certification Authority, who will
then generate the certificate and transmit it to you. After you have the certificate file, you
can use the Complete Pending Request wizard to import the certificate file into Exchange
2010.
11. In the Console tree, click Server Configuration.
12. In the Work pane, right-click the certificate request you created and click Complete
Pending Request.
13. On the Introduction page, click Browse to select the certificate file provided to you by
your selected Certification Authority. Enter the private key password for the certificate,
and then click Complete.
14. On the Completion page, verify that the request completed successfully. Click Finish to
close the Complete Pending Request wizard.
How do I assign services to the certificate?
You can use the Assign Services to Certificate wizard to assign the appropriate services to the
imported certificate.
1. After the certificate has been successfully imported, you can assign services to it. Select
the certificate in the Work pane, and then from the Actions pane, click Assign Services
to Certificate to open the Assign Services to Certificate wizard.
2. On the Select Servers page, the Exchange server into which you imported the certificate
is shown. Click Next.
3. On the Select Services page, select the check box for each service you want assigned to
the selected certificate and then click Next. For example, select the check box for
Internet Information Services (IIS) to assign services for Outlook Web App, Exchange
ActiveSync, and other Exchange services that are integrated with IIS.
4. On the Assign Services page, review the configuration summary. If any changes need to
be made, click Back. If the configuration summary is correct, click Assign to assign the
specified services to the selected certificate.
5. On the Completion page, verify that each step completed successfully. Click Finish to
close the wizard.
How do I install the certificate on the legacy Exchange server?
In addition to installing the SSL certificate on the Exchange 2010 Client Access server, you'll
also need to install the certificate on the Exchange 2007 Client Access server or the Exchange
2003 server so that users with mailboxes on Exchange 2007 or Exchange 2003 can use SSL to
connect to their mailboxes.
Note:
If you'll be moving all mailboxes from Exchange 2003 or Exchange 2007 to Exchange 2010 over
a short period of downtime, such as a weekend, you can skip these steps.
Before you install the digital certificate on the legacy Exchange server you must first export it
from the Exchange 2010 Client Access server. To export your digital certificate, use the
following steps.
1. Export the digital certificate to the variable $file using the following command.
Copy
$file = Export-ExchangeCertificate -Thumbprint
5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Password
(Get-Credential).password
2. The following command uses the Set-Content cmdlet to write data stored in the variable
$file to the file htcert.pfx.
Copy
Set-Content -Path "c:\certificates\htcert.pfx" -Value $file.FileData Encoding Byte
To install a digital certificate on an Exchange 2003 server, use the following steps.
1. Copy the exported certificate to a location that can be accessed from the Exchange 2003
server.
2. Click Start, Run, type MMC, and then click OK.
3. In the left hand pane, expand Certificates (Local Computer), and then select the
Personal node.
4. Right-click Certificates, click All Tasks, and then click Import to launch the Certificate
Import Wizard. Click Next.
5. Enter the password you used when you exported the PFX file, select the Mark the
private key as exportable check box and then click Next.
6. Select Automatically select the certificate store based on the type of certificate, click
Next, and then click Finish.
To install a digital certificate on an Exchange 2007 server, use the following steps.
1. Copy the exported certificate to a location that can be accessed from the Exchange 2007
server.
2. Using the Exchange Management Shell, run the following command.
Copy
Import-ExchangeCertificate -Path c:\certificates\import.pfx Password:(Get-Credential).password
Step 4: Configure Outlook Anywhere
Outlook Anywhere eliminates the need for users in remote offices or mobile users to have to use
a VPN to connect to their Exchange servers. Although Outlook Anywhere is an optional
component of Exchange 2010, we recommend its use if you have external clients that will
connect to Exchange 2010. Outlook Anywhere provides access to a user's mailbox via RPC over
HTTPS.
As with any external client access method, there are security implications to consider when
deploying Outlook Anywhere. Before making the decision to deploy Outlook Anywhere, you
should read: Understanding Security for Outlook Anywhere
How do I do this?
The Enable Outlook Anywhere wizard helps you with this task.
1. In the console tree, navigate to Server Configuration > Client Access.
2. In the action pane, click Enable Outlook Anywhere.
3. On the Outlook Anywhere tab:


Type the external host name or URL for your organization in External host
name. The external host name should be the FQDN you entered when installing
the Client Access server role, which is the existing host name. For example,
mail.contoso.com.
Select either Basic authentication or NTLM authentication.
Important:
Don’t select Negotiate Ex authentication. It’s an authentication type that's
reserved for future Microsoft use. If you select this setting, authentication will
fail.

If you're using an SSL accelerator and you want to use SSL offloading, select
Allow secure channel (SSL) offloading.
Important:
Don't use this option unless you're sure that you have an SSL accelerator that can
handle SSL offloading. If you don't have an SSL accelerator that can handle SSL
offloading, and you select this option, Outlook Anywhere won't function
correctly.
4. Click Enable to apply these settings and enable Outlook Anywhere.
Step 5: Configure OAB and Web Services
virtual directories
To enable Outlook Anywhere clients to discover and automatically connect to Exchange 2010, you must
configure the offline address book (OAB) and Exchange Web Services virtual directories. This step is only
necessary if you'll be using Exchange Web Services, Outlook Anywhere, or the offline address book.
Learn more at: Understanding Offline Address Books and Configure External Client Access
Namespaces
How do I do this?
You must use the Exchange Management Shell to configure OAB and Exchange Web Services
virtual directory settings.
If you're unfamiliar with the Shell, learn more at: Overview of Exchange Management Shell
1. Configure the external URL for the offline address book using the following syntax.
Copy
Set-OABVirtualDirectory -Identity "CAS01\OAB (Default Web Site)" ExternalUrl https://mail.contoso.com/OAB -RequireSSL:$true
2. Configure the external URL for Exchange Web Services using the following syntax.
Copy
Set-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web
Site)" -ExternalUrl https://mail.contoso.com/EWS/Ex
To verify that these steps were completed successfully, run the following commands to verify the
ExternalURL property is set correctly on both virtual directories.
Copy
Get-OABVirtualDirectory -Identity "CAS01\OAB (Default Web Site)"
Get-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web Site)"
Step 6: Install the Hub Transport server role
The Hub Transport server role is responsible for internal mail flow for the Exchange
organization. It handles all mail flow inside the organization, applies transport rules, applies
journaling policies, and delivers messages to recipient mailboxes.
Learn more at: Overview of the Hub Transport Server Role
You can install the Hub Transport server role on dedicated hardware, or you can install it on the
same server where you installed the Client Access server role.
How do I install the Hub Transport server role on dedicated hardware?
The Exchange Server 2010 Setup wizard helps you install the Hub Transport role:
1. Insert the Exchange 2010 DVD into the DVD drive. When the AutoPlay dialog appears,
click Run Setup.exe under Install or run program. If the AutoPlay dialog doesn't
appear, navigate to the root of the DVD and double-click Setup.exe. Alternatively,
browse to the location of your Exchange 2010 installation files and double-click
Setup.exe.
2. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the
software listed for Step 1: Install .NET Framework 3.5 SP1 and Step 2: Install
Windows PowerShell v2 was installed with the Exchange 2010 prerequisites. If these
prerequisites aren't already installed, click the appropriate step to install them.
3. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft
Exchange.
4. On the Introduction page, click Next.
5. On the License Agreement page, review the software license terms. If you agree to the
terms, select I accept the terms in the license agreement, and click Next.
6. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting
feature, and click Next.
7. On the Installation Type page, select Custom Exchange Server Installation. For
Exchange 2010 SP1, you can select to automatically install all required Windows roles
and features for this server. To optionally change the installation path for Exchange 2010,
click Browse, locate the appropriate folder in the folder tree, and then click OK. Click
Next.
8. On the Server Role Selection page, select the Hub Transport Role, and click Next. The
Management Tools option, which installs the Exchange Management Console and the
Exchange Management Shell, will also be selected and installed.
9. On the Readiness Checks page, review the Summary to determine if the system and
server are ready for the Hub Transport role to be installed. If all prerequisite checks
completed successfully, click Install. If any of the prerequisite checks failed, you must
resolve the displayed error before you can
10. The Progress page displays the progress and elapsed time for each phase of the
installation. As each phase ends, it's marked completed and the next phase proceeds. If
any errors are encountered, the phase will end as incomplete and unsuccessful. If that
happens, you must exit Setup, resolve any errors, and then restart Setup.
11. When all phases have finished, the Completion page displays. Review the results, and
verify that each phase completed successfully. Clear the check box for Finalize this
installation using the Exchange Management Console, and then click Finish to exit
Setup.
12. When you're returned to the Setup welcome screen, click Close. On the Confirm Exit
prompt, click Yes.
13. Restart the computer to complete the installation of the Hub Transport role.
How do I add the Hub Transport server role to my Client Access server?
You can also use the Exchange Server 2010 Setup wizard to add the Hub Transport role to your
existing Client Access server.
1. In Control Panel, start Programs and Features.
2. Select Microsoft Exchange Server 2010 from the list of installed programs, and then
click Change.
3. The Exchange Server 2010 Setup wizard starts in Exchange Maintenance Mode. Click
Next.
4. On the Server Role Selection page, select the check box for Hub Transport Role and
then click Next.
5. On the Readiness Checks page, review the Summary to determine if the system and
server are ready for the Hub Transport role to be installed. If all prerequisite checks
completed successfully, click Install. If any of the prerequisite checks failed, you must
resolve the displayed error before you can proceed with installing the Hub Transport role.
In many cases, you don't need to exit Setup while you're fixing issues. After you resolve
an error, click Retry to run the prerequisite check again. Also, be sure to review any
warnings that are reported.
6. The Progress page will display the progress and elapsed time for each phase of the
installation. As each phase ends, it will be marked completed and the next phase will
proceed. If any errors are encountered, the phase will end as incomplete and
unsuccessful. In this event, you must exit Setup, resolve any errors, and then restart Setup
in Maintenance Mode.
7. When all phases have finished, the Completion page will be displayed. Review the
results and verify that each phase completed successfully. Click Finish to exit Setup.
8. Restart the computer to complete the installation of the Hub Transport role.
Step 7: Configure Exchange ActiveSync
authentication
In order for Exchange ActiveSync to function during Exchange 2003 and Exchange 2010
coexistence, you must configure Integrated Windows authentication on the Microsoft-ServerActiveSync virtual directory on the Exchange 2003 server. During this procedure, services will
be restarted on the Exchange 2003 server, resulting in a brief interruption in service.
Learn more at: Understanding Exchange ActiveSync Coexistence
How do I do this?
There are two methods you can use to complete this task.
1. Install this hotfix for the Exchange 2003 server: "Event ID 1036 is logged on an
Exchange 2007 server that is running the CAS role when mobile devices connect to the
Exchange 2007 server to access mailboxes on an Exchange 2003 back-end server."
Get the hotfix from: Microsoft Support site
2. Using Exchange System Manager on the Exchange 2003 server, adjust the authentication
settings of the Exchange ActiveSync virtual directory.
3. Repeat these steps for all Exchange 2003 servers in your organization that contain
mailboxes.
Alternatively, you can do the following:

Set to a value of 6 the msExchAuthenticationFlags attribute on the Microsoft-ServerActiveSync object within the configuration container on each Exchange 2003 server that
contains mailboxes.
Step 8: Configure a legacy host name
You need to create a legacy domain name system (DNS) host name so your legacy Exchange
environment (Exchange 2003 and/or Exchange 2007) and Exchange 2010 can coexist. For
example, if your domain name is currently abc.com, you're likely using a host name of
mail.abc.com or www.abc.com for external client access to Exchange. During coexistence, I
recommend creating and using, for example, a host name of legacy.abc.com. This host name
should be configured the same way your primary host name is configured. You'll associate the
legacy host name with your existing Exchange server and associate your current host name (for
example, mail.abc.com) with your Exchange 2010 Client Access server or array. Your end users
will not see or use the legacy host name. It will be used by Autodiscover and Client Access
servers when redirecting legacy users to a legacy server.
All client connections will be redirected, including Exchange ActiveSync, Outlook Web App,
POP3, and IMAP4. After the legacy host name has been configured, users will be able to access
their mailbox regardless of whether it's on Exchange 2010 or Exchange 2003. If you're upgrading
from Exchange 2007 to Exchange 2010 or from an environment that contains both Exchange
2007 and Exchange 2003, Availability service requests will also be redirected. In addition, after
you configure a legacy host name, you'll also need to ensure that your digital certificates are
configured with the legacy host names.
Learn more at: Understanding DNS Requirements and Understanding Digital Certificates and
SSL
How do I do this?
The steps to perform this task will vary for each organization. That's because the exact steps
depend on your Internet provider and firewall configuration. Example steps for GoDaddy are
provided below just to give you an idea of how things work. Your actual steps may vary. But, in
general, you need to:
1. Create a DNS host (A) record in your internal and external DNS servers that points to the
IP address of your legacy Internet-facing Exchange server (for example, Exchange 2007
Client Access server, Exchange 2003 front-end server, etc.) in internal DNS or the public
IP address on your reverse proxy or firewall solution (external DNS). The host name
should be in the format of legacy.domain.com (for example, legacy.abc.com).
2. Create a publishing rule for the legacy host name in your reverse proxy or firewall
solution to point to your legacy Internet-facing Exchange server. Refer to your
proxy/firewall solution's user manual for instructions on how to do this.
3. Configure the existing DNS host (A) record in your internal and external DNS servers for
your original host name (for example, mail.abc.com) to point to your Exchange 2010
organization; for example, the IP address of your Client Access server or array (internal
DNS), or the public IP address on your reverse proxy or firewall solution (external DNS).
So, for example, if your provider is GoDaddy.com, here's how you create a DNS host (A) record
and associate it with your legacy Exchange infrastructure:
1. From your GoDaddy account management home page, click Domain Manager under the
My Products heading in the left sidebar.
2. If prompted, log in to your account.
3. In the Total DNS section of the Domain Manager information screen, click Total DNS
Control.
4. In the A (Host) section of the Total DNS Control screen click Add new A record.
5. Enter the host name, for example legacy.abc.com and enter the IP address of your legacy
Exchange server in the Points to IP address box.
6. Choose a TTL (time to live) value. If you're performing this step well in advance of your
Exchange 2010 installation, you can choose 1 day or 1 week from the drop-down list box.
Otherwise, choose the default of 1 hour or 1/2 hour.
7. Click OK to complete your changes.
If your Exchange 2003 server isn’t currently configured to use SSL for client access, you’ll need
to enable SSL to secure the communications between the client messaging applications and the
Exchange front-end server. Learn more at: Exchange Server 2003 Client Access Guide
How do I know this worked?
From outside your firewall, perform the following steps, using your specific domain name.
1. Navigate to https://mail.abc.com/owa, and verify that you can access Outlook Web App
for a user whose mailbox is on Exchange 2010.
2. Navigate to https://legacy.abc.com/exchange, and verify that you can access Outlook
Web Access for a user whose mailbox is on a legacy Exchange server.
3. Navigate to https://mail.abc.com/owa, and verify that you can access Outlook Web App
for a user whose mailbox is on a legacy Exchange server.
You can also use the Exchange Server Remote Connectivity Analyzer to verify connectivity for
the legacy namespace.
You'll find ExRCA at: https://www.testexchangeconnectivity.com
Step 9: Install the Mailbox server role
The Mailbox server role hosts mailbox and public folder databases, and it generates the offline
address book (OAB). Mailbox servers also provide services that enforce e-mail address policies
and managed folders.
Learn more at: Overview of the Mailbox Server Role
You can install the Mailbox server role on dedicated hardware, or you can install it on a server
that is already running Exchange 2010.
How do I install the Mailbox server role on dedicated hardware?
The Exchange Server 2010 Setup wizard helps you install the Mailbox role.
1. Insert the Exchange 2010 DVD into the DVD drive. When the AutoPlay dialog appears,
click Run Setup.exe under Install or run program. If the AutoPlay dialog doesn't
appear, navigate to the root of the DVD and double-click Setup.exe. Alternatively,
browse to the location of your Exchange 2010 installation files and double-click
Setup.exe.
2. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the
software listed for Step 1: Install .NET Framework 3.5 SP1 and Step 2: Install
Windows PowerShell v2 was installed with the Exchange 2010 prerequisites. If these
prerequisites aren't already installed, click the appropriate step to install them.
3. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft
Exchange.
4. On the Introduction page, click Next.
5. On the License Agreement page, review the software license terms. If you agree to the
terms, select I accept the terms in the license agreement, and click Next.
6. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting
feature, and click Next.
7. On the Installation Type page, select Custom Exchange Server Installation. For
Exchange 2010 SP2, you can select to automatically install all required Windows roles
and features for this server. To optionally change the installation path for Exchange 2010,
click Browse, locate the appropriate folder in the folder tree, and then click OK. Click
Next.
8. On the Server Role Selection page, select the Mailbox Role, and click Next. The
Management Tools option, which installs the Exchange Management Console and the
Exchange Management Shell, will also be selected and installed.
Important:
If you're installing the Mailbox server role, the Task Scheduler must be enabled and
running. In addition, if the Mailbox server will be a member of a DAG and host
replicated databases, it’s required that the script is scheduled and run automatically.
9. On the Client Settings page, select Yes if your organization has client computers running
either Microsoft Outlook 2003 or Microsoft Entourage 2004 or earlier. Select No if you
don't.
10. On the Readiness Checks page, review the Summary to determine if the system and
server are ready for the Mailbox role to be installed. If all prerequisite checks completed
successfully, click Install. If any of the prerequisite checks failed, you must resolve the
displayed error before you can proceed with installing the Mailbox role. In many cases,
you don't need to exit Setup while you're fixing issues. After you resolve an error, click
Retry to run the prerequisite check again. Also, be sure to review any warnings that are
reported.
11. The Progress page displays the progress and elapsed time for each phase of the
installation. As each phase ends, it's marked completed and the next phase proceeds. If
any errors are encountered, the phase will end as incomplete and unsuccessful. If that
happens, you must exit Setup, resolve any errors, and then restart Setup.
12. When all phases have finished, the Completion page displays. Review the results, and
verify that each phase completed successfully. Clear the check box for Finalize this
installation using the Exchange Management Console, and then click Finish to exit
Setup.
13. When you are returned to the Setup welcome screen, click Close. On the Confirm Exit
prompt, click Yes.
14. Restart the computer to complete the installation of the Mailbox role.
How do I add the Mailbox server role to an existing Exchange 2010 server?
You can also use the Exchange Server 2010 Setup wizard to add the Mailbox role to an existing
Exchange 2010 server.
1. In Control Panel, start Programs and Features.
2. Select Microsoft Exchange Server 2010 from the list of installed programs, and then
click Change.
3. The Exchange Server 2010 Setup wizard starts in Exchange Maintenance Mode. Click
Next.
4. On the Server Role Selection page, select the check box for Mailbox Role and then
click Next.
5. On the Readiness Checks page, review the Summary to determine if the system and
server are ready for the Mailbox role to be installed. If all prerequisite checks completed
successfully, click Install. If any of the prerequisite checks failed, you must resolve the
displayed error before you can proceed with installing the Mailbox role. In many cases,
you don't need to exit Setup while you're fixing issues. After you resolve an error, click
Retry to run the prerequisite check again. Also, be sure to review any warnings that are
reported.
6. The Progress page will display the progress and elapsed time for each phase of the
installation. As each phase ends, it will be marked completed and the next phase will
proceed. If any errors are encountered, the phase will end as incomplete and
unsuccessful. In this event, you must exit Setup, resolve any errors, and then restart Setup
in Maintenance Mode.
7. When all phases have finished, the Completion page will be displayed. Review the
results and verify that each phase completed successfully. Click Finish to exit Setup.
8. Restart the computer to complete the installation of the Mailbox role.
Step 10: Move OAB generation to Exchange
2010
Offline address book (OAB) generation is the process by which Exchange creates and updates
the OAB. To do that, an internal process called OABGen runs on a Mailbox server that has been
designated as the OAB generation server. When OAB generation occurs, Exchange generates
new OAB files, compresses the files, and then shares the files to client computers.
Outlook 2003 and earlier clients require OAB distribution to occur using public folders. In
Exchange 2010, OABs can be distributed using public folders to support Outlook 2003 clients.
OABs can also be distributed using Web services to support Outlook 2007 and Outlook 2010.
You can generate the OAB from an Exchange 2003 server provided that public folder
distribution is enabled in Exchange 2010. However, be aware that if you generate the OAB from
an Exchange 2003 server, you will lose the following functionality:


Japanese phonetic display name, phonetic surname, phonetic given name, phonetic
company name, and phonetic department name
PR_DISPLAY_TYPE_EX, which is used by Outlook 2007 and later to render the correct
icon for objects that are replicated across the forest.
To ensure full functionality with Exchange 2010 features, I recommend that you move the OAB
generation to an Exchange 2010 mailbox server. Moving the OAB generation from an earlier
version of Exchange to Exchange 2010 results in a full OAB download for all clients.
Learn more at: Understanding Offline Address Books
How do I do this?
You can use the Move Offline Address Book wizard in the Exchange Management Console
(EMC) to perform this procedure.
1. In the Console tree, navigate to Organization Configuration > Mailbox.
2. In the Result pane, click the Offline Address Book tab, and then select the OAB for
which you want to move the generation to a new server.
3. In the Actions pane, click Move.
4. On the Move Offline Address Book page, click Browse to select the server to which you
want to move the OAB generation process, and then click OK.
5. Click Move to move the OAB generation process to the selected server.
6. On the Completion page, verify that the operation completed successfully. Click Finish
to close the Move Offline Address Book wizard.
7. In the Actions pane, click Properties. On the Distribution tab, select the Enable Webbased distribution and the Enable public folder distribution check boxes and then
click OK.
Step 11: Install the Edge Transport server
role
The Edge Transport server performs anti-spam and antivirus filtering, and it also applies
messaging and security policies to messages in transport. The Edge Transport server role can't
coexist on the same computer with any other Exchange server role. You must deploy the Edge
Transport server role in the perimeter network and outside the secure Active Directory forest.
Learn more at: Overview of the Edge Transport Server Role
How do I do this?
The Exchange Server 2010 Setup wizard helps you install the Edge Transport role.
1. Insert the Exchange 2010 DVD into the DVD drive. When the AutoPlay dialog appears,
click Run Setup.exe under Install or run program. If the AutoPlay dialog doesn't
appear, navigate to the root of the DVD and double-click Setup.exe. Alternatively,
browse to the location of your Exchange 2010 installation files and double-click
Setup.exe.
2. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the
software listed for Step 1: Install .NET Framework 3.5 SP1 and Step 2: Install
Windows PowerShell v2 was installed with the Exchange 2010 prerequisites. If these
prerequisites aren't already installed, click the appropriate step to install them.
3. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft
Exchange.
4. On the Introduction page, click Next.
5. On the License Agreement page, review the software license terms. If you agree to the
terms, select I accept the terms in the license agreement, and click Next.
6. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting
feature, and click Next.
7. On the Installation Type page, select Custom Exchange Server Installation. To
optionally change the installation path for Exchange 2010, click Browse, locate the
appropriate folder in the folder tree, and then click OK. Click Next.
8. On the Server Role Selection page, select the Edge Transport Role, and click Next. The
Management Tools option, which installs the Exchange Management Console and the Exchange
Management Shell, will also be selected and installed.
9. On the Customer Experience Improvement Program page, optionally join in the
Exchange Customer Experience Improvement Program (CEIP). The CEIP collects
anonymous information about how you use Exchange 2010 and any problems that you
encounter. To join the CEIP, select Join the Customer Experience Improvement
Program, choose the industry that best represents your organization, and then click Next.
10. On the Readiness Checks page, review the Summary to determine if the system and
server are ready for the Edge Transport role to be installed. If all prerequisite checks
completed successfully, click Install. If any of the prerequisite checks failed, you must
resolve the displayed error before you can proceed with installing the Edge Transport
role. In many cases, you don't need to exit Setup while you're fixing issues. After you
resolve an error, click Retry to run the prerequisite check again. Also, be sure to review
any warnings that are reported.
11. The Progress page displays the progress and elapsed time for each phase of the
installation. As each phase ends, it's marked completed and the next phase proceeds. If
any errors are encountered, the phase will end as incomplete and unsuccessful. If that
happens, you must exit Setup, resolve any errors, and then restart Setup.
12. When all phases have finished, the Completion page displays. Review the results, and
verify that each phase completed successfully. Clear the check box for Finalize this
installation using the Exchange Management Console, and then click Finish to exit
Setup.
13. When you're returned to the Setup welcome screen, click Close. On the Confirm Exit
prompt, click Yes.
14. Restart the computer to complete the installation of the Edge Transport role.
Step 12: Subscribe the Edge Transport server
You can use the Exchange Management Shell or the Exchange Management Console on the Hub
Transport server to configure Internet mail flow when your organization sends and receives
Internet e-mail by using a subscribed Edge Transport server.
To establish Internet mail flow, you subscribe the Edge Transport server to an Active Directory
site. This process automatically creates the following Send connectors, which are required for
Internet mail flow:


A Send connector configured to send e-mail to all Internet domains.
A Send connector configured to send e-mail from the Edge Transport server to the Hub
Transport server.
Before you complete these steps, ensure that network communications over the secure LDAP
port 50636/TCP are enabled through the firewall that separates the perimeter network containing
the Edge Transport server from the internal Exchange organization.
Learn more at: Understanding Edge Subscriptions
How do I do this?
Use the following steps to subscribe the Edge Transport server to an Active Directory site:
1. On the Edge Transport server, run the following command in the Shell.
Copy
New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
2. Copy the resulting XML file to a Hub Transport server in the Active Directory site to
which you want to subscribe the Edge Transport server.
3. On the Hub Transport server, open the EMC, navigate to Organization Configuration >
Hub Transport, and select the Edge Subscriptions tab.
4. In the Actions pane, click New Edge Subscription to start the New Edge Subscription
wizard.
5. In the Active Directory site field on the New Edge Subscription page, click Browse to
select the Active Directory site to which you want to subscribe the Edge Transport server.
6. In the Subscription file field, click Browse to select the EdgeSubscriptionInfo.xml file
that was copied to the Hub Transport server in Step 2.
7. Leave as selected the Automatically create a Send connector for this Edge
Subscription check box, and click New to create the Edge Subscription.
8. On the Completion page, review the task results and verify that the subscription was
successfully created. The wizard will display a warning indicating that the Hub Transport
servers in the subscribed site must be able to resolve the IP address for the Edge
Transport server and to connect to TCP port 50636 on the Edge Transport server. Before
proceeding with the next step, we recommend you verify this connectivity.
9. On the Hub Transport server, run the following command in the Shell.
Copy
Start-EdgeSynchronization
For more information, see: Import an Edge Subscription File to an Active Directory Site
For detailed syntax and parameter information, see: New-EdgeSubscription or StartEdgeSynchronization
How do I know this worked?
After you create a new Edge Subscription, the Edge Transport server referenced in the Edge
Subscription file is associated with the Hub Transport servers in an Active Directory site.
To verify that replication of the new Edge Subscription was successful, you can run GetEdgeSubscription in the Shell.
Step 13: Configure Send connectors (Do this
step ONLY IF YOU ARE NOT USING
EDGE TRANSPORT SERVERS)
During your upgrade from Exchange 2003 to Exchange 2010 you will move outbound Internet
mail flow from Exchange 2003 to Exchange 2010. If you’re using an Edge Transport server and
have completed the steps described for installing the Edge Transport server role and subscribing
the Edge Transport server, then outbound Internet mail flow is already configured in Exchange
2010, and all you will need to do is delete the Exchange 2003 SMTP Connector.
If you’re not using an Edge Transport server, then you must create at least one Send connector
configured with the appropriate address space, and then delete the existing Exchange 2003
SMTP connector(s).
Learn more at: Understanding Send Connectors
How do I create a Send connector?
You can use the New Send Connector wizard in the Exchange Management Console to perform
this procedure.
1. In the Console tree, expand Organization Configuration and select Hub Transport.
2. In the result pane, click the Send Connectors tab.
3. In the Actions pane, click New Send Connector. The New SMTP Send Connector
wizard starts.
4. On the Introduction page, follow these steps:
 In the Name field, type a meaningful name for this connector. Specify a name for
the Send connector that helps you distinguish this Send connector from other
Send connectors in your configuration.
 In the Select the intended use for this connector field, select Internet and click
Next.
5. On the Address space page, click Add.
6. In the Address field, enter * and click OK. Click Next.
7. On the Network settings page, review the available options and select how to send email with the Send connector. (If you need more information about the settings, click
F1.)
 Select the Use the External DNS Lookup settings on the transport server
check box if you want to use a specific list of DNS servers instead of the DNS
server(s) configured for the Hub Transport server's network adapter. After you
finish, click Next.
Important:
Verify that you have configured the external DNS servers list by using the SetTransportServer cmdlet, or by using the External DNS Lookups tab in the
properties of the Hub Transport server.

If you're using a smart host, the Configure smart host authentication settings
page appears. By default, no authentication is used. To configure the smart host
authentication settings, click Change. Select the method you want to use to
authenticate to the smart host, and then click Next.
Note:
Here are some things to be aware of if the smart host requires Basic
authentication. Basic authentication requires that you provide a user name and
password. We strongly recommend that you use an encrypted connection if you're
using Basic authentication because the user name and password are sent in clear
text. Select the Basic Authentication over TLS check box to enable encryption
on the connection. Also, if you specify more than one smart host for this Send
connector, all the specified smart hosts must accept the same user name and
password.
8. On the Source Server page click Next.
9. On the New Connector page, review the configuration summary for the connector. If
you want to modify the settings, click Back. If the summary is correct, click New to
create the Send connector.
10. On the Completion page, review the following, and then click Finish to close the wizard:
 A status of Completed indicates that the wizard completed the task successfully.
 A status of Failed indicates that the task wasn't completed. If the task fails,
review the summary for an explanation, and then click Back to make any
configuration changes.
11. Repeat steps 3-10 for each Send connector you want to create (for example, custom,
Internal, Partner).
How do I delete an Exchange 2003 SMTP connector?
1. When each Send connector is created and verified, the corresponding SMTP connector
can be deleted.
2. In Exchange System Manager, expand the Organization node, expand Administrative
Groups, expand <AdministrativeGroupName>, expand Routing Groups, expand
<RoutingGroupName>, and then select Connector.
3. In the right-hand pane, right-click the connector you want to delete and select Delete.
4. Click OK to confirm the deletion.
Step 14: Move mailboxes to Exchange 2010
After you've deployed the Exchange 2010 Mailbox server role, you can move mailboxes from
Exchange 2003 to Exchange 2010. Be aware that during the move users will not be able to send
and receive messages. So, I recommend that you perform this step off-hours to minimize the
interruption in service.
Learn more at: Understanding Move Requests
In Exchange 2003, shared mailboxes are used to represent resources (for example, a conference
room, a piece of A/V equipment, etc.). Exchange 2010 introduces a new kind of mailbox called a
resource mailbox. When moving a shared mailbox from Exchange 2003 to Exchange 2010, the
move request creates the mailbox as a shared Exchange 2010 mailbox. After the move has been
completed, you can convert the shared mailbox to a resource mailbox.
Learn more at: Convert a Mailbox
How do I do this?
You can use the Exchange Management Console and the New Local Move Request wizard to
perform this task.
1.
2.
3.
4.
In the Console tree, expand Recipient Configuration and then select Mailbox.
In the Result pane, select the mailbox(es) that you want to move.
In the Actions pane, click New Local Move Request.
On the Introduction page, configure the following settings, and then click Next:
1. A new move request will be placed for the following mailboxes This displays
the mailboxes being moved. To change this list, click Cancel, and make new
selections in the Result pane.
2. Target mailbox database Click Browse to open the Select Mailbox Database
dialog box and select the Exchange 2010 mailbox database to which you want to
move the mailboxes. Click OK to return to the wizard.
5. On the Move Options page, specify how you want to manage corrupted messages if any
are found and then click Next.
o Skip the mailbox This option skips any mailbox that contains any corrupted
messages. We recommend selecting this option. Only select Skip the corrupted
messages if the move request failed in a previous attempt.
o Skip the corrupted messages This option moves the mailbox, except for any
corrupted messages. If you select this option, you'll need to set the maximum
number of messages to skip.
o Maximum number of messages to skip If you select Skip the corrupted
messages, specify a number between -1 and 2,147,483,647. Use -1 to skip an
unlimited number of corrupted messages.
6. On the New Local Move Request page, review the local move request to make sure it's
correct and then click New to create the move request. Click Back to make any changes.
7. On the Completion page, review the information shown, and then click Finish.