When a new Exchange Client Access Server is installed, a SCP record is created for it in Active Directory.
That SCP object (record) can be found here:
CN=Name of Exchange server,CN=Autodiscover,CN=Protocols,CN=Name of Exchange server,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=organization Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
Note: we assume that the first SCP record has been configured as appropriate with the Set-ClientAccessServer cmdlet as mentioned above, something like "mail" instead of "CAS1" (and with a corresponding record in DNS pointing to a load balancer).
Next, I must expand the respective folders to reach the SCP:
Once again, we right-click on the folder with the servername, select "Properties", and see the SCP details under the "Attribute Editor" tab:
After having tested this, I confidently installed Exchange 2010 in a production environment. The plan was to import and enable a UCC/SAN certificate that evening. However, we had to concentrate on the resolution of a problem with an update and thought we could safely wait to install the certificate.
What happened the next morning?
Certificate warnings for users when they opened Outlook...
We installed the certificate immediately and the warnings no longer displayed when users opened Outlook.
I'm not sure why this happened. I suspect that, although the oldest SCP record is selected (there seems to be consensus on this), the autodiscover information may include references to all or any one of the servers, without distinction.
I ran the autoconfiguration test (press Ctrl, right-click on the Outlook icon in the taskbar) and the references to the Exchange 2010 server were for OWA and OAB (everything else - EWS, UM, etc. - was for the Exchange 2007 server).
Lesson learned: import and enable the UCC/SAN certificate as part of the installation process of Exchange 2010.