We help IT Professionals succeed at work.

New podcast episode! Our very own Community Manager, Rob Jurd, gives his insight on the value of an online community. Listen Now!

x

Exchange 2016 and Exchange 2010 Co-Existence

timgreen7077
timgreen7077 asked
on
489 Views
Last Modified: 2017-04-03
We have an exchange 2010 environment, that we will run in co-existence with Exchange 2016. Today I installed Exchange 2016 but I didn't configure anything yet, no DNS changes, Names space changes or anything. All I did was install Exchange 2016. Today a user got a prompt about that 2016 server saying "The certificate was issued by a company you have chosen not to trust. View the certificate to determine whether you want to trust the certifying authority", I know this is because this is a self signed cert and I haven't imported any certs yet. But the question is why did the user's outlook attempt to connect to that server instead of the Exchange 2010 casarray? I have powered the server off for now, but curious as t why this happened.
Comment
Watch Question

Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
As soon as you install an Exchange server into an AD site, it will create a "Service Connection Point" for that server that is used to tell clients in the same AD site where Autodiscover is located. Exchange will alternate between server SCPs when multiple Exchange servers are in the same site, so some of your users will not have problems, while others will get the certificate warning. While you are running in coexistence mode, you can reconfigure the 2016 server to point to the 2010 server for autodiscover, but you'll want to make sure this is changed back to the 2016 server once you have a valid certificate installed on there.

Run
set-clientaccessserver <2016 server name> -internalserviceuri https://exchange2010.domain.com/autodiscover/autodiscover.xml

Open in new window

timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Author

Commented:
But if this server's name space is still default servername.domain.com and isn't changed to the name "mail.domain.com" name space and haven't been added to the name in DNS, I thought outlook would still point to SCP  of mail.domain.com
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
I'll try to clarify a bit...
You originally had server.domain.com as your mail server. Autodiscover and the SCP are configured to use server.domain.com as the FQDN for Exchange. When you add server2.domain.com to the environment, it will automatically create a new Exchange server object that has its own SCP value. By default, Exchange will assign the new SCP to be whatever the new server used to register itself in DNS, in this case, server2.domain.com. SCPs in Exchange are *server specific* and are not assigned to the whole organization. Server2.domain.com is a valid Exchange server, but it has a Self-Signed certificate installed on it. That certificate only lists server2.domain.com as a valid name (CN), because it's a self-signed cert, and those only ever include the host name of the computer that generated the cert. Since server2 has an SCP value that points to server2.domain.com, it will refer clients to that address when they do an Autodiscover request. The client gets to the server, but doesn't trust the certificate because server2.domain.com isn't a CA that it trusts. So you can either add the Self-Signed certificate to the client machines to fix the issue or change where Server2's AD SCP value for Exchange Autodiscover points clients to for autodiscover so it goes to the 2010 server. The latter method is more universal, while the earlier solution will work only for computers the self-signed cert is installed on. Alternatively, you can get another certificate from a third party CA that includes the server2.domain.com name on it and use that on the new server.
timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Author

Commented:
No, the 2010 environment's Autodiscover and SCP is configured as mail.domain.com, not server.domain.com So the FQDN is mail.domain.com for the CAS servers in 2010. Now 2016 is still set with defaults as you mentioned with server.domain.com. The user that got the alert is a 2010 user and mailbox on 2010 DB and mailbox server. So with that being said, are you saying some 2010 user may still try to connect to the SCP and autodiscover for 2016 even though the mailboxes are on 2010? I understand what you are saying clearly and explanation is good, but curious about this this question i just explained in this response.
Senior Systems Admin
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Author

Commented:
Excellent explanation and answer. I really appreciate your time ;)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.