Yes you can continue to use your 03 box as a mail server. You can also have it as your "SMTP Gateway/Transport" still if it is where all your email comes into from the internet.
OWA will be tricky since you can only have it pointing to a single server. So existing mailboxes on the 2003 box won't be able to use OWA until they are migrated (unless you go through a big ordeal that I don't want to describe here).
You will need a certificate for Outlook Anywhere. Regardless, you'll need to setup autodiscover.domain.com DNS records externally for Outlook Anywhere to work properly automagically.
Things to note from our migration:
-Blackberry stuff can be tricky, move the BESAdmin account first.
-Activesync relies on the Client Access stuff, so either move them all first, or all last. This will affect OWA though since the same rules apply.
-if you have a small enough company (under 500 people) I would strongly recommend moving around 25-50 on a weekend, let them test throughout the next 2 weeks, then move EVERYONE else in a single weekend.
-you shouldn't have to mess with their outlook profiles
-Migrate resource mailboxes over and then convert them to true "resource mailboxes" using Powershell and OWA
The things that I remember vividly is that OWA/Activesync definitely broke if you moved it over to the 07 box first. So we ended up moving all of the OWA/Activesync users at the same time and then moving the firewall rules to redirect to the 07 box.
EDIT: I'm referring to what happens to OWA if you only have a single Exchange 07 server and don't bother to setup 2 different URLs and redirects for OWA clients. See the technet article I refer to in the comments below.
I'm posting this as answer mainly because everyone has their own "educated opinion" based on experience, 3rd party info, hearsay, and tribal knowledge within IT, but this is more a list of citations and readings "directly" from Microsoft. I used quotes because I'm sure they don't properly filter all opinions made by their employees, but this should prove helpful nonetheless if you are after authoritative
references direct from Microsoft.
BTW, I also think it is VERY EASY to say DOMAIN CONTROLLER == ACTIVE DIRECTORY, which isn't quite the case. AD FS proxies and other means (forms based auth for OWA, EAS, etc.) offer a way to "expose" AD itself to the web to allow clients to at least attempt to authenticate via AD without exposing the DCs themselves. Go on someone's OWA site and attempt to login and AD will get the request for authentication on a backend DC, so AD is technically "exposed"...but is secured via SSL and proxied through an Exchange server.
Citation #1
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
Before you go "Azure isn't AD"...you CAN deploy ADDS on an Azure VM.
But to quote the relevant bits:
Never expose STSs directly to the Internet.
As a security best practice, place STS instances behind a firewall and
connect them to your corporate network to prevent exposure to the
Internet. This is important because the STS role issues security
tokens. As a result, they should be treated with the same level of
protection as a domain controller. If an STS is compromised, malicious
users have the ability to issue access tokens potentially containing
claims of their choosing to relying party applications and other STSs
in trusting organizations.
ergo...don't expose domain controllers directly to the internet.
Citation #2
Active Directory - The UnicodePwd Mystery of AD LDS
Exposing a domain controller to the Internet is normally a bad
practice, whether that exposure comes directly from the production
environment or through a perimeter network. The natural alternative is
to place a Windows Server 2008 server with Active Directory
Lightweight Directory Services (AD LDS) role running in the perimeter
network.
Citation #3 - not from MS...but useful still in looking ahead
Active Directory-as-a-Service? Azure, Intune hinting at a cloud-hosted AD future
In the end, there is no great "short" answer which meets the goals of
ridding the office of the AD server in exchange for an Azure
alternative. While Microsoft is being complacent in allowing customers
to host Active Directory Domain Services on Server 2012 and 2008 R2
boxes in Azure, their usefulness is only as good as the VPN
connectivity you can muster for your staff. DirectAccess, while a very
promising technology, has its hands tied due to its own unfortunate
limitations.
Citation #4
Deploy AD DS or AD FS and Office 365 with single sign-on and Windows Azure Virtual Machines
Domain controllers and AD FS servers should never be exposed directly
to the Internet and should only be reachable through VPN
Best Answer
You'll want to use the ADMT (Active Directory Migration Tool) to migrate your AD structures if you are going from AD environments to AD environments. You don't specify what the source Exchange is (2003/ 2007/ 2010) so I can't say for sure what you can use to migrate your exchange mailboxes. However, you can use the integrated Exchange Management shell to migrate mailboxes across a forrest if your source is 2000 SP3 or later, 2003 SP1 or later, or 2007. See this Exchange Team Blog post for more information: Exchange 2007 Cross Org Mailbox Migration