Exchange 2010 Migration - Decommissioning Multi Role Server and Splitting Roles to 2 new servers - Certificate Query

Hi,

I have been tasked with decommissioning our single Multi Role Server (CAS/HT/MB) and assigning the roles to 2 new servers. 1 server will be dedicated to CAS and the other new server will be dedicated to HT & MB roles.

I think I'm OK with the moving of HT and MB roles from our current server to the new HT/MB server by following "Ed Crowley's Method for Moving Exchange Servers", my focus is on the migration of the CAS role from the current to the new server as this one has the potential to kill our mail flow if I don't move the role correctly.

The actual introduction of the new CAS server is fairly straight forward but the moving of the certificate is where I need some clarification.

Our current multi role server has a 3rd Party Certificate with the following information:

Subject: OWA.DOMAIN.COM.AU

SANs: internalservername.domain.local
          autodiscover.domain.com.au
        

The issue here is the SAN entry "internalservername.domain.local" which will need to be removed in order for the certificate to be used on the new CAS server, firstly because the CAS server has a different name and secondly the internal FQDN will no longer be allowed to be used from 2015 onwards. So I will need to revoke this certificate and issue a new certificate with our vendor who is Thawte.

This presents me with an opportunity to simplify our certificate and make changes to the URLs using a new certificate name, so I have proposed the following:

New Certificate:

Subject: mail.domain.com.au

SANs: autodiscover.domain.com.au
          OWA.DOMAIN.COM.AU

I would then configure the URLs using PowerShell:

Set-ClientAccessServer -Identity NEWCASNAME-AutodiscoverServiceInternalUrl https://mail.domain.com.au/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity " NEWCASNAME\EWS (Default Web Site)" -InternalUrl https://mail.domain.com.au/ews/exchange.asmx

Set-OABVirtualDirectory -Identity " NEWCASNAME\oab (Default Web Site)" -InternalUrl https://mail.domain.com.au/oab

Set-OWAVirtualDirectory -Identity " NEWCASNAME\owa (Default Web Site)" -InternalUrl https://mail.domain.com.au/owa

I would also then set up split DNS on our internal DNS server creating a new zone called "mail.domain.com.au" and add an host A record with the internal IP address of the new CAS server.

Now I know I haven't asked a question yet and the only real question I have is to ask if this line of thinking and my theory is correct.

Have I missed anything or is there anything I should be wary of that has the potential to blow up in my face?

Thanks guys, I really appreciate any insights and input you have on this.