troubleshooting Question

Exhange2010/2016 - Coexistence setup question.

Avatar of Krzysztof Kubiak
Krzysztof KubiakFlag for Germany asked on
ExchangeOutlookDNS
6 Comments1 Solution51 ViewsLast Modified:
Hello Team

Coexistence with Exchange 2010 and Exchange 2016. Hopefully you will be able to help me with my question as I was reading so many articles and watched tutorials about this topic but there are few questions open for me which I want to understand and which are making the deploymen a bit complicated becasue of our stupid design we had in the past.

I want to confirm with you if my Outlook anywhere setup and my URL setup is correct because whenever I try to point by DNS to Exchange 2016 some unexpected pop ups are appearing by some users with Outlook 2010 and i want to avoid  that next time.

Existing Setup:
Exchange 2010 :
Outlook Anywhere is enabled on all the server with following settings:
SSOffloading is set to $false
External URL is set to webmai.domain.com (domain.com has been change for the purpose), this url will poin to Exchange 2016 later
There is no internal Host name
ExternalClientsRequireSsl          : True
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Ntlm}

All other service URLs are set to match same what I have on Exchange 2016.

Exchange 2016 Outlook anywhere is set as this:
SSLoffLoading $true
External and internalurls same as exchange 2010 webmail.domain.com
External and Internalrequire ssl is set to $true
Default authentication Method NTLM

The Exchange 2016 was originally installed on a different AD site then our Exchange 2010. So when i run non any Exchange 2016 Get-clientaccerssess server  and check the value of AutoDiscoverSiteScope the scope is set to the test AD site where Exchange 2016 is installed.


This are my questions and problems:

1. Certificate question: Our Exchange 2010 in the past has been set by someone not experience enough and wrong as he use domain local names for all the url DNS  names. Now because we are going towards O365 we can't use domain local names in the SANs because our external CA is not accepting it. I already requested a new Certificate from a 3rd party Vendor and installed on the Exchange 2016 succesfully
The problem is my Exchange 2010. Last week i run a late change to set all the URLs on the Exchange 2010 to match same addresses we will use for Exchange 2016 and also to remove domain local names from the URL. that change was fine but when the problems started are when I changed the Certificate. Somewhere outlook for many people was still complaining that the certificate doesn't containc in the SANs the domain local domains. For some reason it was still trying to connect using the old names even I set all urls correctly on the Exchange 2010.

To fix the issue for users i created a new Certificate using our CA which contains all the SANs the Exchange 2016 has + all the old domain local so Outlook stops complain.

My question is if its a problem to have two different certificates between Exchange 2010 and 2016 where both of the are trusted by each Client and both of them have required names in SAN. Or is it a problem?

2. SSL Offloading. In exchange 2016 this option is enabled by default in Outlook anywhere. Do i need SSLOffloading enabled and disabled on Exchange 2016? This topic is not clear for me as it snot explained anywhere well

3. Do i need to push a GPO to Outlook 2010 clients to force them to use Outlook Anywhere?

4. Do i need Basic Authentication on the outlook Anywhere Exchange 2010 setup?

5. Is it safe for me to change on Exchange 2016 AutoDiscoverSiteScope to be same as Exchange 2010? I checked in ldp the scp records and all point to same autodiscover value like exchange 2010

I asked few colleagues already to put in the Hosts file the IP addresses of exchange 2016 and a lot fo them didn't get any issues but one for some reason got again a pop up about a certificate warning to the address which contains the domain.local name in the FQDN. Which i dont' understand why Outlook still tried to connect to that.

We did a Test AutoConfiguration on users machine and there is no reference  in Outlook to that address.

This is why i want to confirm  my setup cause im getting suprise Pop ups for addresses which i removed in Exchange 2010.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 6 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros