Hi there,

I did a migration in a single domain with 100 users from 2 CAS (NLB) + 2 MBX (CCR-Cluster) 2007 to 2013 mostly according to this tutorial:

http://www.msexchange.org/articles-tutorials/exchange-server-2013/migration-deployment/planning-and-migrating-small-organization-exchange-2007-2013-part1.html

It all went quite well and the environment is in production for 2 weeks now, Im a little bit confused about Outlook (PC) is talking about a bad Certificate on the proxy (mail.mydomain.de, which is a good one!) with error code "0", but OK, I though as soon I can switch Echange 2007 off this will be gone.

BUT:

As soon as I switch off the old infrastructure then strange things happen:

Outlook-PC: Users will repeatedly asked for their credentials  

Outlook-Mac: Everything is working

Outlook-iOS: Everything keeps working

OWA-APP iOS: stopped connecting at all

OWA on any Desktop: Everything is fine

Apple Mail on iOS: stopped connecting at all

I switched the SCP for 2013 Server:

"Set-ClientAccessServer -Identity Exchange2013 -AutoDiscoverServiceInternalURI https://autodiscover.mydomain.de/Autodiscover/Autodiscover.xml"

I marked the old SCP-entries from the Exchange 2007 CAS hidden for everyone in AD

I set OWA to point to the Exchange 2013:

Set-OutlookAnywhere -Identity "exchange2007\RPC (Default Web Site)" -internalHostname mail.mydomain.de -internalClientsRequireSsl $true -DefaultAuthenticationMethod ntlm

The Autodiscover-Tests Outlook processes on client side ist completely successful.

Any ideas what is missing?

Thank you.

PS: Sorry for the bad formatting, but this editor is strange running on Safari!

• Edited by F.One 15 hours 12 minutes ago

Hi!

Few things we'll need more details on:

1. Your Outlook PC clients - are these domain joined machines accessing Exchange internally?
2. Are you using split brain dns? Have you updated all your DNS records to point to the 2013 infrastructure now?
3. Have you checked your internal and external URLs on all your virtual directories and made sure they are correct?

Thank you for your fast input.

1+2: Yes!

3. Maybe there I do miss something:

- autodiscoverinternalserviceURI is set, ecp, too:

Name        : ecp (Default Web Site)
InternalUrl : https://mail.mydomain.de/ecp
ExternalUrl : https://mail.mydomain.de/ecp

for the following assume:

"trinculo" and antares" are Exchange 2007 CAS, published as "berlin" (NLB)

"Exchange" ist 2007 MBX CCR

XS1 & XS2 are Exchange 2013 CAS&MBX

Get-OWAVirtualDirectory

Name                                    Server                                  OwaVersion
----                                    ------                                  ----------
owa (Default Web Site)                  TRINCULO                                Exchange2007
Exchange (Default Web Site)             TRINCULO                                Exchange2003or2000
Public (Default Web Site)               TRINCULO                                Exchange2003or2000
Exchweb (Default Web Site)              TRINCULO                                Exchange2003or2000
owa (Default Web Site)                  ANTARES                                 Exchange2007
Exchange (Default Web Site)             ANTARES                                 Exchange2003or2000
Public (Default Web Site)               ANTARES                                 Exchange2003or2000
Exchweb (Default Web Site)              ANTARES                                 Exchange2003or2000
Exchange (Default Web Site)             exchange                                Exchange2003or2000
Public (Default Web Site)               exchange                                Exchange2003or2000
Exadmin (Default Web Site)              exchange                                Exchange2003or2000
owa (Default Web Site)                  XS2                                     Exchange2013
owa (Default Web Site)                  XS1                                     Exchange2013

Get-OabVirtualDirectory

Server                        Name                          Internal Url                  External Url
------                        ----                          ------------                  ------------
TRINCULO                      OAB (Default Web Site)        http://berlin.mydomain.de... http://berlin.mydomain.de...
ANTARES                       OAB (Default Web Site)        http://berlin.mydomain.de... http://berlin.mydomain.de...
XS2                           OAB (Default Web Site)        https://mail.mydomain.de/OAB https://mail.mydomain.de/OAB
XS1                           OAB (Default Web Site)        https://mail.mydomain.de/OAB https://mail.mydomain.de/OAB


Get-WebServicesVirtualDirectory

Name                                    Server                                  InternalUrl
----                                    ------                                  -----------
EWS (Default Web Site)                  TRINCULO                                https://berlin.mydomain.de/EWS/Exch...
EWS (Default Web Site)                  ANTARES                                 https://berlin.mydomain.de/EWS/Exch...
EWS (Default Web Site)                  XS2                                     https://mail.mydomain.de/EWS/Exchan...
EWS (Default Web Site)                  XS1                                     https://mail.mydomain.de/EWS/Exchan...

• Edited by F.One 14 hours 46 minutes ago

 

Are you using a SAN SSL certificate? What domain names do you have in the certificate?

Can you check the Autodiscover internal url (get-clientaccessserver | fl name,auto*) and post what URLs they point to.

I marked the old SCP-entries from the Exchange 2007 CAS hidden for everyone in AD

How did you do this? You should have just had to update internal url on these to point to the 2013 CAS.

What server does mail.mydomain.de resolve to?

What's the internal and external url for Outlook Anywhere?

Edit: just to make sure I'm clear, you have migrated all mailboxes to 2013 correct? You are essentially done with coexistence?

• Edited by in2jars 14 hours 20 minutes ago

Yes, SAN Certificate with mail.mydomain.com and autodiscover.mydomain.com

get-clientaccessserver | fl name,auto*

Name                           : TRINCULO
AutoDiscoverServiceCN          :
AutoDiscoverServiceClassName   :
AutoDiscoverServiceInternalUri :
AutoDiscoverServiceGuid        :
AutoDiscoverSiteScope          :

Name                           : ANTARES
AutoDiscoverServiceCN          :
AutoDiscoverServiceClassName   :
AutoDiscoverServiceInternalUri :
AutoDiscoverServiceGuid        :
AutoDiscoverSiteScope          :

Name                           : XS2
AutoDiscoverServiceCN          : xs2
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://autodiscover.mydomain.de/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Berlin}

Name                           : XS1
AutoDiscoverServiceCN          : xs1
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://autodiscover.mydomain.de/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Berlin}

I did hide the old SCP-Entries in AD-Services-View, because theres is no simple backup/restore option there for just deleting them - they are still alive but no client can read them, as you can see in the outprint above.

mail.mydomain.de resolves to xs1 AND xs2 (DNS roundrobin)

Internal and external OutlookAnywher hostname is set on all Servers (Exchange 2007 and 2013) to mail.mydomain.de

And yes, Im done with coexistence, no mailbox resides on Exchange 2007 and the PF Database is unmounted already...

Hmmm...just to confirm, https://autodiscover.mydomain.de is pointing to xs1 and xs2 I'm assuming (round robin like mail.mydomain.de?).

What are the results of the Outlook's Test Email Autovonfiguration Utility?

Yes, and as I wrote in my initial Posting:

"The Autodiscover-Tests Outlook processes on client side ist completely successful."