How to add an Exchange Server with AutoDiscover SCP disabled or hidden by default

windows active-directory exchange exchange-2019

I'm building some new Exchange 2019 servers in my environment and do not want clients to immediately use their AutoDiscover service connection points (SCP) that get created in Active Directory during installation. We should be able to update the default InternalUrl/ExternalUrl values and test before these become active. What is the best way to hide, block, or disable the default SCP until I am ready to use them?

Our options appear to be:

  • Update the URL values as quickly as possible after the installation completes.

Or run a looping script that looks for the creation of the SCP during installation, and performs an action immediately, such as:

  • Remove "Domain Users" read permissions when it is found (or add a 'deny', but 'deny' ACEs...).
  • Set the AutoDiscoverSiteScope attribute to a non-existent AD site as quickly as possible after the installation completes so the new one is not considered authoritative for an AD site.
  • Set the IsOutOfService attribute to $true.

Or something else to make them start out in a 'disabled' or 'out of service' state?


Solution 1:

Looking at the Exchange Team Blog (Exchange Active Directory Deployment Site), Microsoft recommend creating a deployment site in Active Directory.

Basically, when Outlook searches AD for the list of SCPs, it will look at the keywords attribute for each one; in particular, "Site=MySite" gets a priority of 1, no "Site=" value gets a priority of 2, and "Site=OtherSite" gets a priority of 3. (I'm using MySite and OtherSite as placeholders for actual site names.)

So, as long as you have an existing SCP which matches your clients' site (priority 1), you can add a new SCP for a different site (priority 3) and Outlook will ignore it. That gives you time to configure the new Exchange server before end users actually connect to it, and therefore they won't get certificate warnings etc.

So, you can set up a small subnet (using AD Sites and Services) and put the new Exchange servers in there temporarily. However, note that you will need to have a domain controller in that site. If that's not practical, the only other option is what joyceshen suggested, i.e. do this out of hours and try to update the URI as quickly as possible, but that will cause some disruption.

After you move the new Exchange server to the real site, you will need to update the AutoDiscoverSiteScope property of the client access service:

Set-ClientAccessService -Identity "MyServer" -AutoDiscoverSiteScope "foobar"

Related

Domain name + hosting on server 2019
Is it possible to backup a LVM disk to an external server?
How to officially install latest Docker into offline RHEL 8 x86_64 machine?
Ansible - can't refer to module parameter value
Redirect TLS traffic by hostname
WordPress unable to connect to MySQL from GCP Compute Engine VM
Linux Link Speed Advertise
Flushing IP table doesn’t flush NAT
Automate the creation of database/user/password into K8 for Bitnami helm chart postgresql
Proper way to create unique_ptr that holds an allocated array
SQL - IF EXISTS UPDATE ELSE INSERT INTO
Lambda including if...elif...else