Outlook 2010 looking at wrong CAS Server for autodiscover settings? Exchange 2010/2007 environment
Good Afternoon All, I've encountered a strange issue with Outlook 2010, when first launched, gets a certificate error from an Exchange 2007 server in a different physical location. Here's a birds eye view of our Exchange environment: 1 root domain (domain.com), shared by 3 different physical locations all connected by an MPLS cloud. There are 6 Exchange 2010 Servers in this domain, a separate CAS/HT and MBX server per each location. 1 child domain (child.domain.com), which was setup to house a separate business entity that has it's own Exchange 2007 Server that holds the CAS/HT/MBX roles. The mailboxes hosted on this server show up within EMC in my root domain/exchange org. The company I work for was recently purchasd by another company and we have been going through a re-branding process. Being the Exchange Engineer, I have successfully updated everyone's Primary SMTP addresses as well as their SMTP Aliases with the new address space. I've also purchased a 10 slot UCC/SAN certificate that has all of the URLs for our Exchange Servers/Services. The UCC/SAN certificate has been installed at 2 sites (4 of the exchange servers) and I used the following article to change the URLs for OAB/EWS/OWA/OutlookAnywhere, etc: http://technet.microsoft.com/en-us/magazine/ff381470.aspx I'm waiting to fix this particular issue before installing the UCC cert at the 3rd site. As it stands right now, Autodiscover and all associated services work both in-house and externally. Previously, access to the EWS directory while outside of the network and using Outlook Anywhere was not functioning - i've fixed that and we're able to download the OAB and set out of office replies through Outlook Anywhere, which i'm quite happy with. There's 1 little problem that i've run into and i've been sifting through document after document on the web trying to figure it out, which hasn't yielded a fix. The problem: Whenever my users open up MS Outlook 2010 in the root domain, they're immediately prompted with a "Security Alert" dialog box stating that "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority." The certificate is a self signed cert from the Exchange 2007 server in the child domain, which is at a different physical location than where we're sitting. To clarify, when users open MS Outlook 2k10 and their mailboxes are located on a Exchange 2010 server located at the same physical location as them, their Outlook client is getting a self signed certificate error from the Exchange 2007 server which is in the child domain and several hundred miles away. I'm assuming this is the autodiscover service talking to the Exchange 2007 server, which is then redirected to our CAS server that is here on-site. I'm confused by this, as within AD Sites and Services we have our sites/subnet set up properly and our SCP record points to our webmail address of the Exchange 2010 servers in our root domain. I came across this MS Support article (http://support.microsoft.com/kb/2006728), which states: Exchange 2010: If the user has an Exchange 2010 mailbox, the Exchange 2007 SP2 Client Access server redirects the request to an Exchange 2010 Client Access server. The redirect response from the Exchange 2007 SP2 Client Access server includes the URL for the Exchange 2010 Client Access server. From how I perceive the article, it looks like if your Exchange environment co-exists between Exchange 2007 and Exchange 2010, then Outlook clients will check with the Exchange 2007 server first for autodiscover settings and the Exchange 2007 server will redirect to to another CAS server if necessary. Is this a correct perception? Is there anyway to adjust the SCP records or the way that autodiscover works so that MS Outlook 2010 will talk with the closest Exchange 2010 server for autodiscover settings, thus avoiding the Exchange 2007 server/certificate alert all together? While our users should be able to send/receive email to and from user mailboxes on the Exchange 2007 Server, I don't want our Outlook clients talking to the Exchange 2007 Server for any sort of autodiscover-based information. Any help on this would be most appreciated! Cheers, Jim P.
April 12th, 2011 5:24pm

Outlook must connect to the Exchange 2007 mailbox server for Exchange 2007 mailboxes. The Exchange 2007 CAS server doesn't handle MAPI. If Outlook connects to an Exchange 2010 CAS via MAPI, the Exchange 2010 CAS will redirect the MAPI session to the Exchange 2007 server and the profile will be updated.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 9:29pm

Hi Ed, Thanks for the reply. For the sake of clarifying/simplifying, let's say my Exchange 2010 CAS/HT server is named EX2k10CAS with the Exchange 2010 Mailbox server is named EX2k10MBX and the Exchange 2007 CAS/HT server is named EX2k7CAS and the Exchange 2007 mailbox server is named EX2k7MBX. If one of my users who sits next to me opens up Outlook 2k10 and their mailbox is located on the EX2k10MBX server, and both Exchange 2k10 servers are in the same physical location as the user, the user's Outlook client will first talk to the EX2k7CAS server which is located half way across the country. If I understand you correctly, are you saying that the Outlook client MUST talk to the Exchange 2007 server first as it's using a MAPI connection? I suppose i'm confused as to why the user who is located right next to me, when they open MS Outlook 2k10 and their mailbox is located on the Exch 2k10 server in the same physical location as me, their client first talks to a Exch 2k7 server a few hundred miles away. Do I have something configured incorrectly, or is this happening by design? I'm scratching my head on this one. Hopefully this post clarifies my initial post. Thanks again for the reply. Jim P.
April 12th, 2011 9:51pm

If one of my users who sits next to me opens up Outlook 2k10 and their mailbox is located on the EX2k10MBX server, and both Exchange 2k10 servers are in the same physical location as the user, the user's Outlook client will first talk to the EX2k7CAS server which is located half way across the country. >>> That should not be the case. Outlook retains the server it thinks the mailbox is on, and for Exchange 2010 that would be the Exchange 2010 CAS, since it handles MAPI for Exchange 2010 mailboxes. If I understand you correctly, are you saying that the Outlook client MUST talk to the Exchange 2007 server first as it's using a MAPI connection? >>> That is not the case. Outlook can talk to any server before it determines which server the mailbox is on, and then it will store that server in the profile. If that is an Exchange 2007 server, and you move the mailbox to Exchange 2010, that setting will change automatically. None of this has really changed since the beginning of Exchange. I suppose i'm confused as to why the user who is located right next to me, when they open MS Outlook 2k10 and their mailbox is located on the Exch 2k10 server in the same physical location as me, their client first talks to a Exch 2k7 server a few hundred miles away. >>> I don't know why that would be the case unless he is looking for public folder content that only has a replica on the Exchange 2007 server. What do you see when you hold the Ctrl key, click the Outlook icon in the system tray and select Connection Status? Do I have something configured incorrectly, or is this happening by design? >>> There could certainly be a misconfiguration in Autodiscover. If this is happening to just one user, perhaps you should delete and recreate his Outlook profile. Profiles have been known to be sticky at times, and not properly change to the proper server.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 12:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics