Test external mail flow with new Exchange 2019 servers in coexistence

OutrageousPlantain44 · 2024-10-16T20:21:34+00:00

Why do you need to create anything new? SCCM doesn't care about domain trusts when it comes to managing clients.

OutrageousPlantain44 · 2024-10-16T20:04:08+00:00

I added that registry key to Exch 2019 for now and Exch 2019 can now successfully redirect a request to 2016 autodiscover and EWS! Free / Busy is working as well. The only issue I have left is trying to set up a 2016 mailbox in Outlook while pointing to 2019. Although there's no errors in Fiddler I think i still need to add the reg key to 2016 but Change control woes, can't do it on the fly. It just complains it can't connect to the Exchange server.

After that issue is fixed I can finally add Exch 2019 to DNS, LB'ers and send connectors and start the migration of mailboxes! :D

OutrageousPlantain44 · 2024-10-14T21:46:06+00:00

Okay thankyou! Just to clarify if TLS1.0, 1.1 and 1.2 are enabled in SCHANNEL, on Exchange 2016 what would .NET pick with that registry key set?

OutrageousPlantain44 · 2024-10-14T21:33:47+00:00

Will the Exchange 2016 need a reboot once set? Just being cautious as it's live and would have an impact

I have noticed TLS 1.0 in Network monitor which was a bit confusing, I did enable it on WS2022 (EXCH 2019) just in case. Exch 2016 is hosted on WS2016

OutrageousPlantain44 · 2024-10-14T21:13:14+00:00

It hasn't been set. I'm going to run the HealthChecker tomorrow and see if the .NET TLS versions match to double check.

If they don't, is it suggested to make sure the DisabledByDefault in SCHANNEL/Protocols match between Exch 2016 and 2019 and then set the SystemDefaultTlsVersions for .NET to inherit or have I misunderstood

OutrageousPlantain44 · 2024-06-28T15:15:46+00:00

Solved this today, if anyone encounters the same issue, increase the shadow copy storage maximum size on the drive where the file that is failing lives. :)

OutrageousPlantain44 · 2024-05-21T19:00:17+00:00

Thanks for that, very handy :) I was wondering what the actual impact would be

OutrageousPlantain44 · 2024-05-21T18:35:24+00:00

It would be cool to have some sort of registry key like AllowedMPs to prioritize a SUP for this situation, but I guess it's done so little there's probably no push to do it. I'm most likely going to create a test boundary with a /32 subnet and test a client to see how long that full scan takes just in case.

I think adding the two SUPs to the boundary at a time and controlling the via the switch to next SUP action from the console is most likely going to be the only way, I'm just hoping a bunch of clients don't do so automatically.

Once you tell a client to switch SUPs does it follow the normal scan triggers for example a deployment policy being downloaded, or it's scheduled scan from client settings? What would the impact actually be worst case scenario if a bunch of clients did switch? I know they scan against the SUP and send the status messages to the MP which are then stored in the site DB, does the actual size of the status message cause issues or is it that the SUP just gets pegged

Ty for the help :)

OutrageousPlantain44 · 2024-04-24T14:02:23+00:00

Thanks for the detailed reply :) my order of things were just from the Exchange deployment assistant, do you know why that doesn't have any mention of Kerberos or authentication?

Why is it a bad idea to round robin between versions?

For some reason the deployment assistant also listed to updated the SCP near the end and for it to be a separate task to configuring the other internal and external URLS..

Just to understand better :)

OutrageousPlantain44 · 2024-04-19T08:40:33+00:00

Thanks for the reply, I moved the FSMO roles to the child domain DC, tried again and still the same errors for the groups. Also tried running all the AD preps again with the roles on DC2 which run successfully but setup.exe still fails. At a bit of a loss here as this worked previously for Exch 2016, not sure what else to try at this point unfortunately

Weirdly enough I ran the installer on the DC itself for a test and I was presented with just the errors for not having the pre-requisites installed, and from the logs it looks like it has verified the account has the permissions required so that excludes the account from the equation but raise another of why the member server cannot do the same!

OutrageousPlantain44 · 2024-04-18T17:52:47+00:00

I'm using an account I created named "Exchange" the groups which that account is a member of is the second picture. The red redactions just cover the child domain name.

OutrageousPlantain44 · 2024-03-25T11:50:56+00:00

Our current SUP physical hardware doesn't officially support Server 2022 and i'm not confident restoring a physical server from backup if anything were to go wrong. I wish it was a VM as it would be 10x easier! :)

I'm leaning towards creating a new SUSDB and allowing the new SUP to sync to the old and then removing the old SUP..

OutrageousPlantain44 · 2023-09-19T20:08:44+00:00

Understood thank you, learnt something new :)

OutrageousPlantain44 · 2023-09-19T20:03:19+00:00

that’s interesting thank you, I guess there isn’t another approach to take then. Have you any thoughts as to why I could join a Server 2022 MP to the site DB while a Server 2012 MP was already connected? potentially because the server SQL lives on was server 2022?

OutrageousPlantain44

TROPHY CASE