Exhange2010/2016 - Coexistence setup question.
Hello Team
Coexistence with Exchange 2010 and Exchange 2016. Hopefully you will be able to help me with my question as I was reading so many articles and watched tutorials about this topic but there are few questions open for me which I want to understand and which are making the deploymen a bit complicated becasue of our stupid design we had in the past.
I want to confirm with you if my Outlook anywhere setup and my URL setup is correct because whenever I try to point by DNS to Exchange 2016 some unexpected pop ups are appearing by some users with Outlook 2010 and i want to avoid that next time.
Existing Setup:
Exchange 2010 :
Outlook Anywhere is enabled on all the server with following settings:
SSOffloading is set to $false
External URL is set to webmai.domain.com (domain.com has been change for the purpose), this url will poin to Exchange 2016 later
There is no internal Host name
ExternalClientsRequireSsl : True
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Ntlm}
All other service URLs are set to match same what I have on Exchange 2016.
Exchange 2016 Outlook anywhere is set as this:
SSLoffLoading $true
External and internalurls same as exchange 2010 webmail.domain.com
External and Internalrequire ssl is set to $true
Default authentication Method NTLM
The Exchange 2016 was originally installed on a different AD site then our Exchange 2010. So when i run non any Exchange 2016 Get-clientaccerssess server and check the value of AutoDiscoverSiteScope the scope is set to the test AD site where Exchange 2016 is installed.
This are my questions and problems:
1. Certificate question: Our Exchange 2010 in the past has been set by someone not experience enough and wrong as he use domain local names for all the url DNS names. Now because we are going towards O365 we can't use domain local names in the SANs because our external CA is not accepting it. I already requested a new Certificate from a 3rd party Vendor and installed on the Exchange 2016 succesfully
The problem is my Exchange 2010. Last week i run a late change to set all the URLs on the Exchange 2010 to match same addresses we will use for Exchange 2016 and also to remove domain local names from the URL. that change was fine but when the problems started are when I changed the Certificate. Somewhere outlook for many people was still complaining that the certificate doesn't containc in the SANs the domain local domains. For some reason it was still trying to connect using the old names even I set all urls correctly on the Exchange 2010.
To fix the issue for users i created a new Certificate using our CA which contains all the SANs the Exchange 2016 has + all the old domain local so Outlook stops complain.
My question is if its a problem to have two different certificates between Exchange 2010 and 2016 where both of the are trusted by each Client and both of them have required names in SAN. Or is it a problem?
2. SSL Offloading. In exchange 2016 this option is enabled by default in Outlook anywhere. Do i need SSLOffloading enabled and disabled on Exchange 2016? This topic is not clear for me as it snot explained anywhere well
3. Do i need to push a GPO to Outlook 2010 clients to force them to use Outlook Anywhere?
4. Do i need Basic Authentication on the outlook Anywhere Exchange 2010 setup?
5. Is it safe for me to change on Exchange 2016 AutoDiscoverSiteScope to be same as Exchange 2010? I checked in ldp the scp records and all point to same autodiscover value like exchange 2010
I asked few colleagues already to put in the Hosts file the IP addresses of exchange 2016 and a lot fo them didn't get any issues but one for some reason got again a pop up about a certificate warning to the address which contains the domain.local name in the FQDN. Which i dont' understand why Outlook still tried to connect to that.
We did a Test AutoConfiguration on users machine and there is no reference in Outlook to that address.
This is why i want to confirm my setup cause im getting suprise Pop ups for addresses which i removed in Exchange 2010.
Coexistence with Exchange 2010 and Exchange 2016. Hopefully you will be able to help me with my question as I was reading so many articles and watched tutorials about this topic but there are few questions open for me which I want to understand and which are making the deploymen a bit complicated becasue of our stupid design we had in the past.
I want to confirm with you if my Outlook anywhere setup and my URL setup is correct because whenever I try to point by DNS to Exchange 2016 some unexpected pop ups are appearing by some users with Outlook 2010 and i want to avoid that next time.
Existing Setup:
Exchange 2010 :
Outlook Anywhere is enabled on all the server with following settings:
SSOffloading is set to $false
External URL is set to webmai.domain.com (domain.com has been change for the purpose), this url will poin to Exchange 2016 later
There is no internal Host name
ExternalClientsRequireSsl : True
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Ntlm}
All other service URLs are set to match same what I have on Exchange 2016.
Exchange 2016 Outlook anywhere is set as this:
SSLoffLoading $true
External and internalurls same as exchange 2010 webmail.domain.com
External and Internalrequire ssl is set to $true
Default authentication Method NTLM
The Exchange 2016 was originally installed on a different AD site then our Exchange 2010. So when i run non any Exchange 2016 Get-clientaccerssess server and check the value of AutoDiscoverSiteScope the scope is set to the test AD site where Exchange 2016 is installed.
This are my questions and problems:
1. Certificate question: Our Exchange 2010 in the past has been set by someone not experience enough and wrong as he use domain local names for all the url DNS names. Now because we are going towards O365 we can't use domain local names in the SANs because our external CA is not accepting it. I already requested a new Certificate from a 3rd party Vendor and installed on the Exchange 2016 succesfully
The problem is my Exchange 2010. Last week i run a late change to set all the URLs on the Exchange 2010 to match same addresses we will use for Exchange 2016 and also to remove domain local names from the URL. that change was fine but when the problems started are when I changed the Certificate. Somewhere outlook for many people was still complaining that the certificate doesn't containc in the SANs the domain local domains. For some reason it was still trying to connect using the old names even I set all urls correctly on the Exchange 2010.
To fix the issue for users i created a new Certificate using our CA which contains all the SANs the Exchange 2016 has + all the old domain local so Outlook stops complain.
My question is if its a problem to have two different certificates between Exchange 2010 and 2016 where both of the are trusted by each Client and both of them have required names in SAN. Or is it a problem?
2. SSL Offloading. In exchange 2016 this option is enabled by default in Outlook anywhere. Do i need SSLOffloading enabled and disabled on Exchange 2016? This topic is not clear for me as it snot explained anywhere well
3. Do i need to push a GPO to Outlook 2010 clients to force them to use Outlook Anywhere?
4. Do i need Basic Authentication on the outlook Anywhere Exchange 2010 setup?
5. Is it safe for me to change on Exchange 2016 AutoDiscoverSiteScope to be same as Exchange 2010? I checked in ldp the scp records and all point to same autodiscover value like exchange 2010
I asked few colleagues already to put in the Hosts file the IP addresses of exchange 2016 and a lot fo them didn't get any issues but one for some reason got again a pop up about a certificate warning to the address which contains the domain.local name in the FQDN. Which i dont' understand why Outlook still tried to connect to that.
We did a Test AutoConfiguration on users machine and there is no reference in Outlook to that address.
This is why i want to confirm my setup cause im getting suprise Pop ups for addresses which i removed in Exchange 2010.
ASKER
I have a Cert with SANs.
The question is does it really need to be the same cert on Exchange 2010 and Exchange 2016 even if I have in SANs the names covering the Service urls.
The question is does it really need to be the same cert on Exchange 2010 and Exchange 2016 even if I have in SANs the names covering the Service urls.
See it doesn't matter for 2010, but we during migration always recommend and set the same cert i.e. multi SAN newly purchase setup on both the servers.
ASKER
Still monitoring that will let you know if finally the coexistence work. It looks ok but some get still Popeyes for credential?
In the IIS authentication providers for RPC. What should be set as first NTLM or negotiate. I have Not now
In the IIS authentication providers for RPC. What should be set as first NTLM or negotiate. I have Not now
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the comment we got further sorry to nor reply earlier.
For all your questions related to certificate issue. You need a multi San cert from third party with mail.domain.com and autodiscover.domain.com entry and both needs host A record pointing to your Exchange server public IP.
EXCHANGE 2016 and Outlook 2013 onwards connects only using autodiscover. So multi San is mandatory here otherwise you will get certificate prompts. Install the same cert on 2010 as well.