Wednesday, August 8, 2012

Prevent Autodiscovery from Using a Pre-production CAS

When you install a Client Access server (CAS) into an existing Exchange environment, an SCP object is created in Active Directory for autodiscover. That object is immediately available in Active Directory and can be located by Outlook clients. If the CAS is not ready, and you've not configured certificates on the CAS yet, then users may start getting the errors about untrusted certificates.

To prevent clients from using the new CAS before it is configured (effectively disabling autodiscover), you can modify the SCP object by using the following cmdlet:

Set-ClientAccessServer ServerName -AutoDiscoverServiceInternalUri $NULL

Later, when the CAS is ready for production, you need to put the correct URI back into the object with the following cmdlet:

Set-ClientAccessServer ServerName -AutoDiscoverServiceInternalUri https://ServerFQDN/Autodiscover/Autodiscover.xml

Update May 2018
For the last while, I've been hearing about issues when setting the autodiscover URL to $null. It seems that newer Outlook clients see the SCP object in AD and assume that they can use the default URL for that node. So, rather than setting it to $null, set the URL to be the load balanced URL used for the older version.

As a practical example, if you are adding Exchange 2016 to and Exchange 2010 organization, set the URL to point at the Exchange 2010 servers until you've configured and tested the Exchange 2016 servers.

No comments:

Post a Comment