none
AutoDiscover SCP Order RRS feed

  • Question

  • Upgrading from 2007 to 2013.

    Turnaround for new certificate might be a day.

    I have seen it before where clients try and connect to the new SCP and Outlook certificate errors become an issue (until the certificate is generated and installed).

    1. Is there an order of precedence for SCP? (Age of SCP, version of CAS, AD Site?)

    2. If clients are in AD site "Primary" and Exchange 2007 is in AD site "Primary" but Exchange 2013 is installed in AD site "NEW", will this ensure clients always connect to 2007 in the interim?

    3. Obviously during the migration SCP requests will be proxied from one version of CAS to another depending on location of mailbox (pre-migration or post-migration). Is there a preferred option to have all Autodiscover SCP to point to older/newer CAS during the migration.

    (All clients are domain-joined, no external Autodiscover, single domain, single forest)


    • Edited by W2K13RDS Monday, May 8, 2017 3:37 PM
    Monday, May 8, 2017 3:36 PM

All replies

  • Upgrading from 2007 to 2013.

    Turnaround for new certificate might be a day.

    I have seen it before where clients try and connect to the new SCP and Outlook certificate errors become an issue (until the certificate is generated and installed).

    1. Is there an order of precedence for SCP? (Age of SCP, version of CAS, AD Site?)

    2. If clients are in AD site "Primary" and Exchange 2007 is in AD site "Primary" but Exchange 2013 is installed in AD site "NEW", will this ensure clients always connect to 2007 in the interim?

    3. Obviously during the migration SCP requests will be proxied from one version of CAS to another depending on location of mailbox (pre-migration or post-migration). Is there a preferred option to have all Autodiscover SCP to point to older/newer CAS during the migration.

    (All clients are domain-joined, no external Autodiscover, single domain, single forest)


    I always set the SCP on all the Exchange Servers to be the same.  This way users will always go to the location that you want them to for Autodiscover.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, May 8, 2017 8:47 PM
  • Hinte gives you good advice.  Upon building a new server, the first thing I do is set the SCP (Set-ClientAccessServer -AutodiscoverServiceInternalUri) to the value you already use on other servers. If you're fast, you can minimize the window that users will get a certificate popup.  And I tell the help desk to just tell anyone who calls to click through it.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, May 8, 2017 8:57 PM
    Moderator
  • Ok.

    That makes sense. So, at what stage of migration do you change to the new Autodiscover? Currently, SCP points to a 2007 server name  which will no longer exist post-migration. My new autodiscover location will be an NLB pair of 2013 CAS servers.

    So would you suggest:

    1. Install Exchange 2013

    2. Repoint Exchange 2013 SCPs to 2007 server name (to eliminate certificate errors)

    3. Generate certificate request for 2013 NLB FQDN

    4. Install certificate on Exchange 2013 servers

    Then, at some stage will need to change 2013 SCPs to point back to new 2013 NLB FQDN.

    Do it during migration? And point 2007 SCP to 2013 NLB FQDN also?

    Or wait until 2007 is due to be uninstalled, and only change 2013 SCPs?

    Tuesday, May 9, 2017 2:20 PM
  • Ok.

    That makes sense. So, at what stage of migration do you change to the new Autodiscover? Currently, SCP points to a 2007 server name  which will no longer exist post-migration. My new autodiscover location will be an NLB pair of 2013 CAS servers.

    So would you suggest:

    1. Install Exchange 2013

    2. Repoint Exchange 2013 SCPs to 2007 server name (to eliminate certificate errors)

    3. Generate certificate request for 2013 NLB FQDN

    4. Install certificate on Exchange 2013 servers

    Then, at some stage will need to change 2013 SCPs to point back to new 2013 NLB FQDN.

    Do it during migration? And point 2007 SCP to 2013 NLB FQDN also?

    Or wait until 2007 is due to be uninstalled, and only change 2013 SCPs?

    At step 3, I would generate the cert for both Exchange 2013 and Exchange 2007 namespaces, since Autodiscover, and OutlookAnywhere can proxy from Exchange 2013 to Exchange 2007 and OWA is going to be a straight redirect.  

    Then install the same cert throughout the environment (Exchange 2013 & 2007 Servers & any HLB that requires it).

    Make sure you test to make sure everything works as expected.  Then you need to change your Autodiscover SCP and other namespaces to point to Exchange 2013. Typically the way this works is that a higher version of Exchange can answer and proxy autodiscover requests for/to a lower version and not the other way around.  I say typically here because it works differently when migrating from Exchange 2013 to Exchange 2016.

     

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Tuesday, May 9, 2017 2:27 PM