Exchange 2003 Migration to Exchange 2010 Coexistence OWA ActiveSync Real Life Tips
1. If you are using mail.contoso.com as the DNS name for your Exchange 2003 Outlook Mapi, OWA, and Activesync then perform the following.
In external DNS update the DNS record mail.contoso.com to the IP of the Exchange 2010 server. Create another record legacy.contoso.com and point that to the IP of the Exchange 2003. In internal DNS create legacy.contoso.com with the IP of the Exchange 2003 server. Do not change the internal DNS mail.contoso.com, leave that as is because your Exchange 2003 Outlook users are still using mail.contoso.com, if you change the internal record, your Outlook 2003 users will not work since it will be pointing to the Exchange 2010 server and it can't proxy rpc back to 2003. Before making DNS changes, set the TTL to something like 5 minutes 24 hours before you create these record, this ensures when you change the records, you're not waiting for an hour or more for the DNS cache to timeout and hamper your testing and\or toubleshooting.
2. Go to the Exchange 2010 EMC and add the externalURL
Set-OwaVirtualDirectory -Identity "exchange2010cas01\owa (Default Web Site)" -Exchange2003Url https://legacy.contoso.com/exchange
3. Set the same for the activesync virtual directory
Set-ActiveSyncVirtualDirectory \Microsoft-Server-ActiveSync* -ExternalURL https://legacy.contoso.com/Microsoft-Server-ActiveSync
Supposedly you don't necessarily need to set the legacy against the activesync virtual directory for 2003-2010 coexistenence because Exchange 2010 will directly proxy to the 2003 activesync. I have found this did not work and required you to set the activesyncvirtualdirectory and let it redirect. At this point you should be able to open a browser outside the network and be able to perform the following.
A. Go to mail.contoso.com from outside the network and access a mailbox for a 2010 user and a 2003 user
B. Go to legacy.contoso.com from outside the network and access a 2003 user
C. On your activesync phone you should be able to access your 2003 user without changing any settings on your phone and still set to mail.contoso.com (some troubleshooting steps below if you can't)
D. On your activesync phone you can also set the mail server to legacy.contoso.com and access your 2003 server.
You also need to ensure the following are set. On your Exchange 2003 front end, make sure you enable integrated authentication for the activesync directory as well as Basic. Also DISABLE the require SSL on the activesync vdir as well. You also need to DISABLE require SSL on the exchange virtual directory on your 2003 FE. I set this directly from IIS and not ESM and didnt run into DS2MB re-writing.
In addition if you are doing http to https redirect on your Exchange 2003 OWA you need to turn this off whether you were performing this using the http custom error file or some other method.
If you experience activesync slowness its because you didnt disable the require SSL on the Exchange virdir on your 2003. I also didnt need to disable the RPC\HTTP nor disable forms based on the 2003 to have it work.
Another tip: You dont want to set up the HTTP to HTTPS redirect on your 2010 just yet. Because if you're using mail.contoso.com for everything, outlook, activesync, owa and you're in this split brain DNS setup then it can break services. This is because when a 2010 user logs into OWA using say just http://mail.contoso.com/ it goes to the 2010 CAS and CAS will do a redirect to to https://mail.contoso.com/ but your CAS will use the internal DNS and mail.contoso.com internally will go to your Exchange 2003 which your 2010 user doesnt reside. This will render a redirect loop in the browser.
This is just one of the limitations of coexistence if you use a single namespace mail.contoso.com for all your services. Another limitation is internal 2010 users after they are migrated will not be able to use OWA or activesync on the internal wifi because they will be pointed to mail.contoso.com which of course points to 2003 internally. Of course you can go with alternate solutions such as using a new namespace for your 2010 users but that would mean you would have to re-home their devices and outlook anywhere after they are migrated so not seamless.
Once complete you want to enable your Exchange 2010 cas Outlook Anywhere to allow for both NTLM and Basic authentication since it's possible you may have Outlook Anywhere clients that may be set to either NTML or Basic already. I ended up requiring to set all 3, just setting the -defaultauthentication method for ntlm and basic did not work.
Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod ntlm, basic
Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod ntlm, basic
Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod ntlm, basic
MCITP | EA |EMA
Security+, Project+, ITIL