One of the risks during Exchange Server 2013 deployment is that the installation of a new Client Access server may cause certificate warnings to begin appearing in the Outlook client of your end users.
This is similar to the certificate warning issue often seen during Exchange Server 2013 installation, which was caused by the Outlook client making Autodiscover or Exchange Web Services connections to an Exchange server with a self-signed (ie, untrusted by the client) SSL certificate.
If there is going to be a delay in SSL certificate provisioning for the new Exchange 2013 servers (which is common when third party certification authorities are used) then steps should be taken to mitigate this risk.
This issue can be avoided with a little bit of planning before you deploy the first server. Let’s take a look at the existing Exchange Server Pro organization.
First, a quick review of existing Autodiscover configurations should be performed.
From the information gathering stage where we ran the Get-VirDirInfo.ps1 script we already know that the following Autodiscover URLs are configure:
- autodiscover.exchangeserverpro.net
- br-ex2010-mb.exchangeserverpro.net
Another view of this information can be seen by running Get-ClientAccessServer.
[PS] C:\>Get-ClientAccessServer | Select Name,AutodiscoverServiceInternalURI,AutodiscoverSiteScope | Fl
Name : BR-EX2010-MB
AutoDiscoverServiceInternalUri : https://br-ex2010-mb.exchangeserverpro.net/Autodiscover/Autodiscover.xml
AutoDiscoverSiteScope : {BranchOffice}
Name : HO-EX2010-MB1
AutoDiscoverServiceInternalUri : https://autodiscover.exchangeserverpro.net/Autodiscover/Autodiscover.xml
AutoDiscoverSiteScope : {HeadOffice}
Name : HO-EX2010-MB2
AutoDiscoverServiceInternalUri : https://autodiscover.exchangeserverpro.net/Autodiscover/Autodiscover.xml
AutoDiscoverSiteScope : {HeadOffice}
Notice the AutoDiscoverSiteScope value above. This is also referred to as “Site Affinity” and is used to tell Outlook clients which Client Access servers to prefer when they are looking for an Autodiscover service to connect to. For more on configuring site scope refer to this article:
In a migration scenario where new servers are being introduced to the organization, the site scope can be used to avoid having Outlook clients connecting to your new servers for Autodiscover. If you have not configured site scope it is recommended to do so before installing the first Exchange 2013 server.
However, this solution requires that the new Exchange 2013 servers are being deployed in an Active Directory site that is different to the existing site(s). In our Exchange Server Pro deployment scenario this is true; the new servers are being deployed into new datacenters that have different IP subnets and different Active Directory sites configured.
If you are not deploying into a new site you can still use this method by establishing a temporary AD site where Exchange 2013 is provisioned, then move it into your production AD site when it is ready to go live.
If neither of the above options is available to you then you can use DNS to avoid the issue instead. For example, if a single site exists and the Autodiscover namespace is autodiscover.exchangeserverpro.net, then as long as the Exchange 2013 server is also configured with that Autodiscover namespace, you can use DNS to only resolve that name to your existing Exchange servers only, or resolve to a load balanced VIP that distributes the traffic only to those Exchange 2010 servers.
To achieve this you would need to configure the Autodiscover URL on the Exchange 2013 server immediately after it is installed. You can see a demonstration of this in the following article:
To summarize, the primary objectives here are to use Autodiscover namespace and site scope configurations to prevent Outlook clients from connecting to an Exchange 2013 server that has not been full provisioned, to avoid SSL warning dialogs appearing, and also to optimize the Autodiscover configuration in larger environments.
In the next article in this series we’ll look at reviewing the offline address book configuration for the existing Exchange 2010 environment.
This article Exchange Server 2010 to 2013 Migration – Reviewing Autodiscover Configuration is © 2014 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
