Exchange 2013 On-Prem CU9

When installing additional CAS Servers - they automatically get added to the Autodiscover record even before they have been configured correctly with certificates, etc.

We have been told that if we add the new CAS to a AD site that has no clients initially then this should stop the clients from trying to access it, but it doesn't.  We installing the new server, adding the CAS role and it almost instantly becomes available to the clients - therefore connection issues.

We have also been told by support that we should just tell our clients that "we are patching and you may experience some issues" - this is not acceptable.

How can I add a new CAS server without it instantly becoming available to clients until it is fully configured? 

Yes, that's a problem, so I always make it a point to run Set-ClientAccessServer -AutodiscoverServiceInternalUri immediately upon completion of Setup to minimize the number of certificate warnings users get.

You could build it in a separate site where there are no clients and then move it after configuring the above, but that has its own issues.  You could also build it during a time when few people are logged on.

Hi,

Additional for Ed, we need configure new CAS server after it complete setup more than AutodiscoverURI.We need change all virtual directory name (OWA , ECP , OAB , EWS and EAS) to mail.contoso.com, by default it's the FQDN of CAS server, also connector.

For your requirement, we can implement Load balance (if you don't have hardware just enable Windows NLB).

Besides, we can change the value for RpcClientAccessServer to force client do not use new CAS server connect to Exchange server. For your reference: https://social.technet.microsoft.com/Forums/office/en-US/219d7b8e-90ef-4644-9fb3-7794aa6edc3b/adding-an-additional-cas-server?forum=exchange2010

In my opinion you have 4 options.

1. Once you install the CAS server, if you have the certificate available install the certificate and use the Set-ClientAccessServer cmdlet to set the autodiscoverserviceinternaluri to the proper name, then reboot the server.  This is what I typically like to do, and I'm usually quick enough to get everything configured before an Outlook client hits the new Autodiscover Endpoint.
2. Once you install the CAS server stop all the services on the CAS Server.  If the Exchange Services aren't running it can't respond to the Autodiscover request.  This atleast allows me to get the part that takes the longest to get done during normal business hours.
3. Do all your CAS installs afterhours. Personally I hate this option and try to use this sparingly unless I can't convince a client otherwise.
4. Assuming you have your Autodiscover site scopes configured properly, you could also use an empty AD site, but that requires you to have 2 global catalogs in that site and as Ed said, that comes along with its own problems.  

As to 1, there's no need to install the certificate in a rush.  If you specify AutodiscoverServiceInternalUri to the URL you already use for Autodiscover, it won't point to the server you're installing since you won't have it in load balancing yet.