Yes, that follows. I think that's something we're going to have to evaluate later - it's certainly something to ponder. I expect that distributing the cert chain, even to the 50-75 iOS/Android units I expect will be active about then will not be a trivial task. OTOH, I hear that MSFT is prepping an MDM solution, which might alleviate those concerns.
Kurt On Wed, Nov 9, 2011 at 11:44, Michael B. Smith <mich...@smithcons.com> wrote: > The real question is whether you are going to use your internal CA for > Exchange and ActiveSync or not. > > If you are, then the root certificate and the chain to the root will need to > be loaded on all those devices (and any computers running Outlook that are > not part of the domain - I presume that you are/will be publishing > certificates to AD so that domain-joined devices can find the root). > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Wednesday, November 09, 2011 2:34 PM > To: MS-Exchange Admin Issues > Subject: Re: Ex2003 to 2010 Transition > > I am (very slowly, amid other projects) standing up 2008R2 ADCS - > two-tier, with an offline root. I expect that around the middle of > next calendar year we'll be migrating from Exchange 2003 to 2010. We > are getting a lot of folks in with iPhones, and a few with Androids. > Any thoughts on how this will affect ActiveSync for those users? > > Kurt > > On Wed, Nov 9, 2011 at 11:06, Michael B. Smith <mich...@smithcons.com> wrote: >> You have touched on what, for some, is the most confusing aspect of a >> migration. >> >> >> >> If you are going to be in coexistence mode, you will need at least one >> additional certificate – the legacy certificate. This is used to securely >> redirect users on the new server to the old server when necessary. >> >> >> >> You MAY require a second name – the autodiscover name. You will require it >> if some of your computers are not domain joined. AND if you don’t have it, >> you’ll need to create a SRV record >> >> >> >> I RECOMMEND you get a new UCC certificate that has 3 names: mail, >> autodiscover, legacy – available for about USD $60 per year from >> certificatesforexchange.com. It really makes configuring things much easier. >> >> >> >> I wrote a mini-sidebar-article for EMO early last year that covers this: >> >> >> >> You’ve decided to upgrade from Exchange 2003 to Exchange 2007/2010 and you >> don’t want to replace your existing SSL certificate. What can you do? >> >> >> >> First, be aware that the so-called Unified Communications certificates are >> inexpensive from a number of vendors. Second, configuring and maintaining a >> single-named certificate is harder and more difficult to maintain (which is >> another way of saying that it costs you and your company time and money). >> However, it can be done. >> >> >> >> From a broad overview perspective, you will take the existing certificate >> and install it on your new server. Then, on the new server, you will create >> a “redirection site” for the new Autodiscover feature. Next, you’ll update >> your internal DNS so that the name of the SSL certificate points to the IP >> address of the new server. Next, you’ll update DNS to contain an SRV record >> that points to the Autodiscover feature. Finally, you’ll configure Exchange >> to use those names. >> >> >> >> Sound easy? It’s harder than it sounds! >> >> >> >> For the details, see the white paper “Exchange 2007 Autodiscover Service” at >> http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx and the >> knowledge base article KB940726 at http://support.microsoft.com/kb/940726. >> >> >> >> I gave a 75 minute session on Exchange and SSL certificates at the Exchange >> Connections conference last week and barely covered the common scenarios. >> The possible permutations are many and there is a huge amount of >> misunderstanding out there. >> >> >> >> Regards, >> >> >> >> Michael B. Smith >> >> Consultant and Exchange MVP >> >> http://TheEssentialExchange.com >> >> >> >> From: ExchList [mailto:exchl...@networkblade.com] >> Sent: Wednesday, November 09, 2011 1:52 PM >> To: MS-Exchange Admin Issues >> >> Subject: RE: Ex2003 to 2010 Transition >> >> >> >> Thank you everyone for replying – I have printed most of them, starting with >> Michael’s. I’ve read half already. >> >> >> >> Regarding SSL certs (I don’t yet know if your article explains it clearly) >> I’m a bit confused. Currently my one Exchange 2003 server uses >> mail.mydomain.com. I seem to believe that I have to get another SSL cert for >> Autodiscover.mydomain.com. But I read somewhere that I need a third cert >> pointing to legacy.mydomain.com too? Is that correct? >> >> >> >> Remote devices are only Droid and iPhone. Can’t I just move/copy my current >> cert from Exch2003 server to the Exch2010 server? >> >> >> >> From: Steve Ens [mailto:stevey...@gmail.com] >> Sent: Wednesday, November 09, 2011 1:34 PM >> To: MS-Exchange Admin Issues >> Subject: Re: Ex2003 to 2010 Transition >> >> >> >> Hey Joseph >> >> Yes the articles that have been outlined are good. A few of us have been >> through this migration already. Jaap and MBS and the technet articles are >> great resources. It isn't hard, but make sure to read the documentation >> through thoroughly first and outline your steps on paper. Give yourself a >> week and you can do most everything online/realtime. >> >> Steve >> >> On Wed, Nov 9, 2011 at 11:55 AM, ExchList <exchl...@networkblade.com> wrote: >> >> I’m late to the game on this project and need to get a jump start on this >> fast moving project. >> >> >> >> Can you folks point me to a widely accepted How To article on transitioning >> from Exchange 2003 to 2010? >> >> >> >> I have only one Exchange 2003 server/site and want to end with only one >> Exchange 2010 server (knowing that I might be required to co-exist 2003 for >> a short time period). My domain functional level has already be raised and I >> do have a 2008 DC in place already. >> >> >> >> Thanks in advance! >> >> >> >> Joseph Danielsen >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist >> >> >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist > > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
