Solved

Exchange 2010 Autodiscover Recommendation

Posted on 2010-11-11
9
623 Views
Last Modified: 2012-05-10
Firstly I'm used to exchange 2003, so 2010 is giving me headaches.  If I'm way off base here please straighten me out...

We deployed our first EX2010 server into a branch office instead of our main office.  All other servers are 2003 (we skipped 2007).  I'm preparing to get a certificate for the 2010 server and I'm struggling with how to deal with Autodiscover.  Ultimately I think we will want our main office server to handle Autodiscover someday when that office moves to 2010, or Autodiscover would be handled by all offices that have 2010.

So, I need to add the domain name autodiscover.domain.com to the CSR, but someday if I want another server to handle autodiscover I'm assuming I won't be able to get another certificate for autodiscover.domain.com.  Maybe I'm wrong about that, but I think the CA won't grant me two certificates for the same domain name?

What's the recommended way to handle the situation where there are potentially multiple autodiscover servers using the same domain name that all need SSL?
0
Comment
Question by:Tofu4679
  • 5
  • 3
9 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34114694
Get a SAN cert that contains all the names you need and then that can be installed on all your E2k10 servers especially those that serve the Internet.

Then when head office finally install E2k10 you can simply change the external autodiscover dns record to point to the head office CAS server via it's external ip address
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34114708
You only need one autodiscover name on that cert by the way.
0
 

Author Comment

by:Tofu4679
ID: 34114774
So this leads to general certificate questions.  What happens if all offices are using the same certificate and we open a new branch office and need to add domain names to the cert?  Or we move another office to 2010 and need to add their domains to the cert?
0
 
LVL 2

Expert Comment

by:GhouseAdmin
ID: 34114804
Hi,

Auto discover will be pointing to the server which is an internet facing server. For example if you have an edge server in your Exchange environment then it will be a public internet facing server. IF you dont have edge and only have CAS server then it will be a public facing server. You cannot have multiple autodiscover for same domain, the reason is if you do have multiple autodiscover records your outlook  will not be able to contact the main server properly and thus leading to many problems particularly with OAB and free busy schedule.

Autodiscover will be pointed to your mail host(owa.example.com) and not on servers name.  The best solution is to have one public facing server and route all the mails from other servers through this server. Likewise all the mails incoming and outgoing will be done by this server only. This way you can configure your exchange to avoid any confusion or any issues with multiple autodiscover.  

You can always change the IP of autodiscover in the Public DNS (probably the ISP side).  Hope i understood your query and answered it right.. if you have any queries please post ..


----------skgmohiddin

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34114976
Do they have their own Internet domain names and own Internet connections? Or are they sub/ child Internet domain names of the head office one?

What are the SMTP address spaces of the head office like? Are all exchange servers going to be members of the same org?

Basically autodiscover works by taking the right hand side of your email address and then trying to find autodiscover in that domain. So if you have multiple SMTP domain names then you are going to need multiple Certs or multiple autodiscover names on the cert .
0
 

Author Comment

by:Tofu4679
ID: 34120696
All offices use the same domain name for sending and receiving.  They all have their own OWA domain name, i.e.location.webmail.domain.com.  All servers are in the same org.  We really have a very simple setup.

I think the root issue is this: I'll setup my branch office 2010 server as the autodiscover server for now, and get the cert for autodiscover.domain.com for that server.  When I want to change it to our main office server some day down the road I'll have to get a new cert for the same domain (autodiscover.domain.com) for a new server.  I'm not sure if the CA will let me do that or not.
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 34123066
You can just install the autodiscover.domainname.com cert on all the CAS servers. I recommend you have additional names on it like owa.domainname.com

Or you can buy a domain name cert which will cover all names under domainname.com, but to be honest I believe they are expensive and I don't know how much Exchange likes domain name Certs.

Or you can just do what you were saying and have one cert per branch for the location.owa.domainname.com and when head office comes online it can have it's own cert with the autodiscover name on it. Then you change your external DNs entry for autodiscover to point to the head office CAS server.
0
 

Author Comment

by:Tofu4679
ID: 34138789
OK, thanks.  I just went ahead and setup with branch with the cert (UCC SAN cert).  I'll deal with moving the autodiscover to another server when the time comes.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34138820
Thanks for the points
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now