Ah. It will be interesting to see what that will do. We've been dithering between installing the current SCCM and waiting for 2012. Not sure how we're going to land just yet.
Kurt On Wed, Nov 9, 2011 at 12:59, Michael B. Smith <mich...@smithcons.com> wrote: > The MDM solution is System Center Configuration Manager 2012. It's currently > available in public beta. > > The _management_ piece comes from ActiveSync. I've only played with it using > a 3rd party public cert. I don't know how it handles in-house CAs. AFAIK, > Autodiscover doesn't have a mechanism for distributing certificates for > ActiveSync, but that's not really my area of expertise. > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Wednesday, November 09, 2011 3:53 PM > To: MS-Exchange Admin Issues > Subject: Re: Ex2003 to 2010 Transition > > Yes, that follows. I think that's something we're going to have to > evaluate later - it's certainly something to ponder. I expect that > distributing the cert chain, even to the 50-75 iOS/Android units I > expect will be active about then will not be a trivial task. OTOH, I > hear that MSFT is prepping an MDM solution, which might alleviate > those concerns. > > Kurt > > On Wed, Nov 9, 2011 at 11:44, Michael B. Smith <mich...@smithcons.com> wrote: >> The real question is whether you are going to use your internal CA for >> Exchange and ActiveSync or not. >> >> If you are, then the root certificate and the chain to the root will need to >> be loaded on all those devices (and any computers running Outlook that are >> not part of the domain - I presume that you are/will be publishing >> certificates to AD so that domain-joined devices can find the root). >> >> Regards, >> >> Michael B. Smith >> Consultant and Exchange MVP >> http://TheEssentialExchange.com >> >> >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Wednesday, November 09, 2011 2:34 PM >> To: MS-Exchange Admin Issues >> Subject: Re: Ex2003 to 2010 Transition >> >> I am (very slowly, amid other projects) standing up 2008R2 ADCS - >> two-tier, with an offline root. I expect that around the middle of >> next calendar year we'll be migrating from Exchange 2003 to 2010. We >> are getting a lot of folks in with iPhones, and a few with Androids. >> Any thoughts on how this will affect ActiveSync for those users? >> >> Kurt >> >> On Wed, Nov 9, 2011 at 11:06, Michael B. Smith <mich...@smithcons.com> wrote: >>> You have touched on what, for some, is the most confusing aspect of a >>> migration. >>> >>> >>> >>> If you are going to be in coexistence mode, you will need at least one >>> additional certificate – the legacy certificate. This is used to securely >>> redirect users on the new server to the old server when necessary. >>> >>> >>> >>> You MAY require a second name – the autodiscover name. You will require it >>> if some of your computers are not domain joined. AND if you don’t have it, >>> you’ll need to create a SRV record >>> >>> >>> >>> I RECOMMEND you get a new UCC certificate that has 3 names: mail, >>> autodiscover, legacy – available for about USD $60 per year from >>> certificatesforexchange.com. It really makes configuring things much easier. >>> >>> >>> >>> I wrote a mini-sidebar-article for EMO early last year that covers this: >>> >>> >>> >>> You’ve decided to upgrade from Exchange 2003 to Exchange 2007/2010 and you >>> don’t want to replace your existing SSL certificate. What can you do? >>> >>> >>> >>> First, be aware that the so-called Unified Communications certificates are >>> inexpensive from a number of vendors. Second, configuring and maintaining a >>> single-named certificate is harder and more difficult to maintain (which is >>> another way of saying that it costs you and your company time and money). >>> However, it can be done. >>> >>> >>> >>> From a broad overview perspective, you will take the existing certificate >>> and install it on your new server. Then, on the new server, you will create >>> a “redirection site” for the new Autodiscover feature. Next, you’ll update >>> your internal DNS so that the name of the SSL certificate points to the IP >>> address of the new server. Next, you’ll update DNS to contain an SRV record >>> that points to the Autodiscover feature. Finally, you’ll configure Exchange >>> to use those names. >>> >>> >>> >>> Sound easy? It’s harder than it sounds! >>> >>> >>> >>> For the details, see the white paper “Exchange 2007 Autodiscover Service” at >>> http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx and the >>> knowledge base article KB940726 at http://support.microsoft.com/kb/940726. >>> >>> >>> >>> I gave a 75 minute session on Exchange and SSL certificates at the Exchange >>> Connections conference last week and barely covered the common scenarios. >>> The possible permutations are many and there is a huge amount of >>> misunderstanding out there. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Michael B. Smith >>> >>> Consultant and Exchange MVP >>> >>> http://TheEssentialExchange.com >>> >>> >>> >>> From: ExchList [mailto:exchl...@networkblade.com] >>> Sent: Wednesday, November 09, 2011 1:52 PM >>> To: MS-Exchange Admin Issues >>> >>> Subject: RE: Ex2003 to 2010 Transition >>> >>> >>> >>> Thank you everyone for replying – I have printed most of them, starting with >>> Michael’s. I’ve read half already. >>> >>> >>> >>> Regarding SSL certs (I don’t yet know if your article explains it clearly) >>> I’m a bit confused. Currently my one Exchange 2003 server uses >>> mail.mydomain.com. I seem to believe that I have to get another SSL cert for >>> Autodiscover.mydomain.com. But I read somewhere that I need a third cert >>> pointing to legacy.mydomain.com too? Is that correct? >>> >>> >>> >>> Remote devices are only Droid and iPhone. Can’t I just move/copy my current >>> cert from Exch2003 server to the Exch2010 server? >>> >>> >>> >>> From: Steve Ens [mailto:stevey...@gmail.com] >>> Sent: Wednesday, November 09, 2011 1:34 PM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Ex2003 to 2010 Transition >>> >>> >>> >>> Hey Joseph >>> >>> Yes the articles that have been outlined are good. A few of us have been >>> through this migration already. Jaap and MBS and the technet articles are >>> great resources. It isn't hard, but make sure to read the documentation >>> through thoroughly first and outline your steps on paper. Give yourself a >>> week and you can do most everything online/realtime. >>> >>> Steve >>> >>> On Wed, Nov 9, 2011 at 11:55 AM, ExchList <exchl...@networkblade.com> wrote: >>> >>> I’m late to the game on this project and need to get a jump start on this >>> fast moving project. >>> >>> >>> >>> Can you folks point me to a widely accepted How To article on transitioning >>> from Exchange 2003 to 2010? >>> >>> >>> >>> I have only one Exchange 2003 server/site and want to end with only one >>> Exchange 2010 server (knowing that I might be required to co-exist 2003 for >>> a short time period). My domain functional level has already be raised and I >>> do have a 2008 DC in place already. >>> >>> >>> >>> Thanks in advance! >>> >>> >>> >>> Joseph Danielsen >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe exchangelist >>> >>> >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe exchangelist >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe exchangelist >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe exchangelist >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist >> >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist > > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
