[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2010 Autodiscover Recommendation

Posted on 2010-11-11
9
Medium Priority
?
634 Views
Last Modified: 2012-05-10
Firstly I'm used to exchange 2003, so 2010 is giving me headaches.  If I'm way off base here please straighten me out...

We deployed our first EX2010 server into a branch office instead of our main office.  All other servers are 2003 (we skipped 2007).  I'm preparing to get a certificate for the 2010 server and I'm struggling with how to deal with Autodiscover.  Ultimately I think we will want our main office server to handle Autodiscover someday when that office moves to 2010, or Autodiscover would be handled by all offices that have 2010.

So, I need to add the domain name autodiscover.domain.com to the CSR, but someday if I want another server to handle autodiscover I'm assuming I won't be able to get another certificate for autodiscover.domain.com.  Maybe I'm wrong about that, but I think the CA won't grant me two certificates for the same domain name?

What's the recommended way to handle the situation where there are potentially multiple autodiscover servers using the same domain name that all need SSL?
0
Comment
Question by:Tofu4679
  • 5
  • 3
9 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34114694
Get a SAN cert that contains all the names you need and then that can be installed on all your E2k10 servers especially those that serve the Internet.

Then when head office finally install E2k10 you can simply change the external autodiscover dns record to point to the head office CAS server via it's external ip address
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34114708
You only need one autodiscover name on that cert by the way.
0
 

Author Comment

by:Tofu4679
ID: 34114774
So this leads to general certificate questions.  What happens if all offices are using the same certificate and we open a new branch office and need to add domain names to the cert?  Or we move another office to 2010 and need to add their domains to the cert?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 2

Expert Comment

by:GhouseAdmin
ID: 34114804
Hi,

Auto discover will be pointing to the server which is an internet facing server. For example if you have an edge server in your Exchange environment then it will be a public internet facing server. IF you dont have edge and only have CAS server then it will be a public facing server. You cannot have multiple autodiscover for same domain, the reason is if you do have multiple autodiscover records your outlook  will not be able to contact the main server properly and thus leading to many problems particularly with OAB and free busy schedule.

Autodiscover will be pointed to your mail host(owa.example.com) and not on servers name.  The best solution is to have one public facing server and route all the mails from other servers through this server. Likewise all the mails incoming and outgoing will be done by this server only. This way you can configure your exchange to avoid any confusion or any issues with multiple autodiscover.  

You can always change the IP of autodiscover in the Public DNS (probably the ISP side).  Hope i understood your query and answered it right.. if you have any queries please post ..


----------skgmohiddin

0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34114976
Do they have their own Internet domain names and own Internet connections? Or are they sub/ child Internet domain names of the head office one?

What are the SMTP address spaces of the head office like? Are all exchange servers going to be members of the same org?

Basically autodiscover works by taking the right hand side of your email address and then trying to find autodiscover in that domain. So if you have multiple SMTP domain names then you are going to need multiple Certs or multiple autodiscover names on the cert .
0
 

Author Comment

by:Tofu4679
ID: 34120696
All offices use the same domain name for sending and receiving.  They all have their own OWA domain name, i.e.location.webmail.domain.com.  All servers are in the same org.  We really have a very simple setup.

I think the root issue is this: I'll setup my branch office 2010 server as the autodiscover server for now, and get the cert for autodiscover.domain.com for that server.  When I want to change it to our main office server some day down the road I'll have to get a new cert for the same domain (autodiscover.domain.com) for a new server.  I'm not sure if the CA will let me do that or not.
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 2000 total points
ID: 34123066
You can just install the autodiscover.domainname.com cert on all the CAS servers. I recommend you have additional names on it like owa.domainname.com

Or you can buy a domain name cert which will cover all names under domainname.com, but to be honest I believe they are expensive and I don't know how much Exchange likes domain name Certs.

Or you can just do what you were saying and have one cert per branch for the location.owa.domainname.com and when head office comes online it can have it's own cert with the autodiscover name on it. Then you change your external DNs entry for autodiscover to point to the head office CAS server.
0
 

Author Comment

by:Tofu4679
ID: 34138789
OK, thanks.  I just went ahead and setup with branch with the cert (UCC SAN cert).  I'll deal with moving the autodiscover to another server when the time comes.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34138820
Thanks for the points
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question