Hello I have two Exchange 2010 servers with CAS array and DAG. Everything working fine. CAS array is named mail.mycompany.com. Also we have valid certificate with that name included. Now we have installed Exchange 2013 server to our environment. Server is named exch2013.mycompany.int We have installed the same certificate to this server as it is in exchange 2010 servers. All mail still goes through Exchange 2010 servers but Outlook clients started to pop up warnings that certificate is not valid as exch2013.mycompany.int name is not included. What should i do to prevent these warnings and configure exchange 2013 to use mail.mycompany.com name? As i guess i cannot join exchange 2013 to exchange 2010 cas array?

Exchange 2013 doesn't use CAS arrays, so you can't join them, no. Your old cert only contains a single namespace? That is, mail.mycompany.com?

Hello, Your ssl certificate needn't contain the CAS array object's fqdn. But when you use outlook to access exchange server, your certificate need to contain your server fqdn. (eg:Exch2013.mycompany.int). Here are two article for your reference. Demystifying the CAS Array Object - Part 1 http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx SSL Certificates for Exchange Server 2013 http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/ If you have any feedback on our support, please click here Cara Chen TechNet Community Support

Our certificate contains: mail.mycompany.com autodiscover.mycompany.com We have 2 2010 Cas server in array named mail.mycompany.com. Now we are planning two exchange 2013 cas server named Exch2013-1.mycompany.com and Exch2013-2.mycompany.com Can these server go under name mail.mycompany.com as exchange 2010 servers did? Or we will need to buy new certificate for them?

No, you DON'T need the fqdn of the servers. If you're planning on using a single namespace (which I am a fan of, as you never make the internal names visible on the outside), you have to point all services (ECP, OWS etc) to https://mail.mycompany.com/(service). Use powershell or the ECP, doesn't matter. However; to the best of my knowledge you can't set autodiscover from GUI; nor is it possible to set it in the virtual directory, as this is a CAS property. So what you do, is run: Set-ClientAccessServer -server (server) -AutoDiscoverServiceInternalUri https://mail.mycompany.com/Autodiscover/Autodiscover.xml For both servers. Wait a few minutes, and you're all good. This could use a blog post, the information on this is dodgy and misleading. Edit: My wish is my command. Blogpost: http://3techies.com/?p=194

As mentioned in a number of postings above, you need to do two things. 1. Install the 2010 cert on the 2013 server. 2. Change all Exchange urls to mail.company.com (the url in cert) on 2013 servers. This assumes that you have split-DNS configured.Rajith Enchiparambil | http://www.howexchangeworks.com |

Should i point both internal and external url to https://mail.mycompany.com/(service)? Or only external ones? For example Outlook Anywhere Url: Specify the external host name (for example, contoso.com) that users will use to connect to your organization. mail.mycompany.com *Specify the internal host name (for example, contoso.com) that users will use to connect to your organization. mail.mycompany.com Is this correct? And also this setting: *Specify the authentication method for external clients to use when connecting to your organization If i leave default "Negotiate", server throws warning that it is not supported for earlier versions of exchange. So should i change it to "NTLM" or leave "Negotiate" as we still have Exchange 2010 servers? Thank You for great help!

If you want to use a single namespace, point everything to mail.mycompany.com; just make sure that it's resolvable/reachable from the inside. I've left it at Negotiate for my mixed setups, and it's worked fine.

Hi, thank You for great help once more :) I think in this command you mentioned: Set-ClientAccessServer -server (server) -AutoDiscoverServiceInternalUri You must use -identity, not -server

Ok, i have done as you told with url`s. We have split brain DNS. Both internaly and externaly mail.mycompany.com points to the same virtual IP. Now in our hardware load balancers i have disabled my current exchange 2010 CAS servers and enabled exchange 2013 servers. Now all users that were connected to exchange 2010 must be connected to new exchange 2013 but all users got pop up screen to input their username and password. If they do so nothing works, outlook is disconnected. Why users cannot reconnect to Exchange 2013 servers?

So this is for Exchange 2010 users, not 2013, right?

Yes all these users are in Exchange 2010 mailbox servers using Outlook 2010 with latest updates. What should i do if i want that Exchange 2013 servers take care of mail traffic? (switch from Exchange 2010 CAS servers to Exchange 2013). Maybe i am missing some authentication settings or something else?

Hmmm, well I'm just going to think out loud a bit here. What you're looking to do is to proxy all connections to both Ex2010 and 2013 using the same namespace. That namespace currently only goes to the Ex2013 CAS'es. There is no connection to the 2010 CAS anymore. I haven't really tried that scenario. You've updated Outlook 2010; including cumulative updates? Latest is februar 2013 I think. MS only supports 2010 SP1 inlcuding at least cumulative updates as of November 2012 with Exchange 2013. http://support.microsoft.com/kb/2800779 Also; you need to verify that Outlook Anywhere authentication is the same as with 2010; if it's NTLM, set it to NTLM on 2013 as well. If you hold CTRL and right click the Outlook icon in systray, and run test autoconfig (remove the guessmart-checkboxes); what does it give you?

I'll follow up myself here. I don't think you can do that. The Exchange 2013 CAS is really simple, I don't think it can handle requests for 2010 mailboxes. It will actually proxy to the 2010 CAS, so that has to be available with another namespace. http://geekswithblogs.net/marcde/archive/2013/03/21/exchange-2013-the-client-access-server.aspx If the mailbox is local on an Exchange 2013 mailbox server, nothing much special happens. The CAS proxies the connection to the 2013 mailbox sever. If the mailbox would be on an Exchange 2010 mailbox server the connection will be proxied to an Exchange 2010 CAS server in the same site to handle the request. If the Exchange 2010 mailbox server is in another, non-internet facing, site the Exchange 2013 CAS server will proxy to the 2010 CAS server to handle the request.

So what is the best way to migrate exchange 2010 users to exchange 2013? We have mail.mycompany.com namespace for exchange 2010 and we want to use it for exchange 2013 after migration. Do i get it right. We need all exchange 2010 and exchange 2013 servers up and running, then migrate users from 2010 to 2013 and only then we will be able to shut down 2010 cas servers and point HLB to 2013 CAS?

Well you will at least need one 2010 CAS (depending on your size of course) available for 2010 users. It's all fairly new, so I don't have much real-life experience with the transitions; but I'd point mail.mycompany.com to ex2013 servers; and edit the namespace for the 2010 casarray (which I assume you have) to be something else. Because I imagine that the casarray is mail.mycompany.com as well, and if you change the actual dns entry to point to only 2013 servers... you've got yourself a loop. The old array shouldn't need to be internet facing though, 2013 cases will act as a proxy (you can test this by going to mail.mycompany.com/owa and log on to a 2010 mailbox. You'll see that you get the 2010 owa, but you're still connected to mail.mycompany.com.

One more question. Lets say i have configured Exchange 2013 servers with different namespace. Exchange 2010 servers using mail.mycompany.com. autodiscover.mycompany.com is CNAME to mail.mycompany.com. HLB number 1 is balancing mail.mycompany.com to 2010 CAS servers. Exchange 2013 servers using mail1.mycompany.com. autodiscover1.mycompany.com is CNAME to mail1.mycompany.com. HLB number 2 is balancing mail1.mycompany.com to 2013 CAS servers. Of course mail and mail1 namespaces using different virtual IP address. If i migrate exchange 2010 user mailbox to exchange 2013 will this user be able to access his mailbox after migration with Outlook? How autodiscover will work in this case or i should configure something else for this to work?

Well you only need one autodiscover entry. Autodiscover1 won't do anything. I'd cname autodiscover.mycompany.com to the Ex2013 servers, it'll detect where your mailbox is, regardless of 2010 or 2013. When you move mailboxes from 2010 til 2013; Outlook clients will simply get a 'you need to restart Outlook' message, and they should be all good.

For testing purposes i have entered these settings to hosts file of test pc: IPofExchange2013 mail.mycompany.com IPofExchange2013 autodiscover.mycompany.com Then i have migrated Exchange 2010 user mailbox to Exchange 2013 server. Then logged in with that migrated user to test pc with altered hosts file and Outlook is in disconnected mode. I have restarted it numerous times. Nothing helping. Maybe the problem is that Exchange 2013 server autodiscover internal and external urls points to mail.mycompany.com and this is resolved by exchange 2013 as 2010 CAS array?

That would make sense, I think. I just did this myself actually. Set Ex2013 to mail.mycompany.com, changed the ex2010 server (just had one) to standard URLs (ex01.domain.local), and pointed autodiscovery to mail.mycompany.com. Exchange 2013 acts as a proxy when using webmail from mail.mycompany.com, and autodiscover sends the 2010 clients to the 2010 server (and 2013 to 2013 of course). Did you run 'test autoconfiguration' from Outlook, to verify that there's no issue with autodiscover? Alternatively, does it work if you set up the client manually?