two CAS servers and changing two autodiscover URLs

I have two exchange 2010 cas servers in two remote locations.  CASa serves for location a's (LOCA) database and CASb serves for location b's (LOCB) database.  LOCA has url mail.loca.domain.com  and LOCB has mail.locb.domain.com.  we recently updated LOCB to have mail.siteb.domain.com by configuring:

Set-ClientAccessServer -Identity server AutoDiscoverServiceInternalUri https://mail.siteb.domain.com/Autodiscover/Autodiscover.xml

Set-OWAVirtualDirectory Identity "server\OWA (default web site)" -ExternalURL https://mail.siteb.domain.com/OWA
Set-OWAVirtualDirectory Identity "server\OWA (default web site)" -InternalURL https://mail.siteb.domain.com/OWA

Set-OABVirtualDirectory Identity "server\OAB (default web site)" -ExternalURL https://mail.siteb.domain.com/OAB
Set-OABVirtualDirectory Identity "server\OAB (default web site)" -InternalURL https://mail.siteb.domain.com/OAB
 
Set-WebServicesVirtualDirectory Identity "server\EWS (default web site)" -ExternalURL https://mail.siteb.domain.com/ews/exchange.asmx
Set-WebServicesVirtualDirectory Identity "server\EWS (default web site)" -InternalURL https://mail.siteb.domain.com/ews/exchange.asmx

Set-ActiveSyncVirtualDirectory Identity "server\Microsoft-Server-ActiveSync (default web site)" -ExternalURL https://mail.siteb.domain.com/Microsoft-Server-ActiveSync
Set-ActiveSyncVirtualDirectory Identity "server\Microsoft-Server-ActiveSync (default web site)" -InternalURL https://mail.siteb.domain.com/Microsoft-Server-ActiveSync

Set-ECPVirtualDirectory Identity "server\ECP (default web site)" -ExternalURL https://mail.siteb.domain.com/ECP
Set-ECPVirtualDirectory Identity "server\ECP (default web site)" -InternalURL https://mail.siteb.domain.com/ECP

Set-OutlookAnywhere -Identity "server\RPC (default web site)" -ExternalHostName mail.siteb.domain.com

Set-ClientAccessArray -Name "SITEB" -Fqdn "mail.siteb.domain.com"

Get-MailboxDatabase | where {$_.ExchangeLegacyDN -eq '/o=Domain/ou=Exchange Administrative Group /cn=Configuration/cn=Servers/cn=mail.loca.domain.com/cn=Microsoft Private MDB'} | Set-MailboxDatabase -RpcClientAccessServer 'mail.siteb.domain.com'

All was well with the certificate swap; however, when I changed LOCA to use the url mail.sitea.domain.com and swapped the certificate, siteb got a certificate warning about mail.loca.domain.com (sitea's old certificate).  All urls and links are set correctly.  Why is siteb getting this warning on all outlook clients?

February 24th, 2015 1:25pm

Look at the CertPrincipalName setting in Get-OutlookProvider -Identity EXPR.
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 6:54pm

Hi Ed,

There were never any settings within the Get-Outlook Provider command:

[PS] C:\Windows\system32>Get-OutlookProvider -Identity EXPR

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXPR                                                                                      1

RunspaceId           : ab1f8186-0e44-4f6b-b98a-041c096e9767
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXPR
DistinguishedName    : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Domain,CN=Microsoft Exchange,
                       CN=Services,CN=Configuration,DC=domain,DC=com
Identity             : EXPR
Guid                 : ee6832ae-28c9-4410-b61a-f2172d1d1938
ObjectCategory       : domain.com/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 3/1/2012 1:35:34 PM
WhenCreated          : 3/1/2012 1:35:17 PM
WhenChangedUTC       : 3/1/2012 9:35:34 PM
WhenCreatedUTC       : 3/1/2012 9:35:17 PM
OrganizationId       :
OriginatingServer    : DC02.domain.com
IsValid              : True

February 24th, 2015 10:49pm

Clients that use Outlook Anywhere expect to have a certificate that matches the hostname to which they're connecting, and that often causes certificate warnings.  Enter:

Get-OutlookAnywhere | FL Identity,ExternalHostName

to be sure that the hostnames correspond to a name that's in the certificate in the respective computers.

Without knowing what your hostnames point to in DNS, which certificates are bound to which machines, and which certificates are enabled for which servers, it's not possible for anyone to tell you what's causing the certificate warnings.  Basically, the certificate must contain as its CN or a SAN the hostname that's being used in the URL to point to the s

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 11:40pm

Hi Ed,

They match to their corresponding hostnames.  i am sure DNS settings are all good.  There is only one autoconfiger dns setting that points to the CASa IP.  Should i have a second autoconfigure dns to point to CASb?

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl Identity,Externalhostname


Identity         : server1\Rpc (Default Web Site)
ExternalHostname : mail.sitea.domain.com

Identity         : server2\Rpc (Default Web Site)
ExternalHostname : mail.siteb.domain.com

February 24th, 2015 11:56pm

I think you mean autodiscover, and it doesn't matter where you point it as long as the certificate has autodiscover as a SAN.  This is only required for non-domain joined machines or computers or mobile devices connecting from outside.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2015 2:56am

Hi Ed,

They match to their corresponding hostnames.  i am sure DNS settings are all good.  There is only one autodiscover dns setting that points to the CASa IP.  Should i have a second autodiscover dns to point to CASb?

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl Identity,Externalhostname


Identity         : server1\Rpc (Default Web Site)
ExternalHostname : mail.sitea.domain.com

Identity         : server2\Rpc (Default Web Site)
ExternalHostname : mail.siteb.domain.com


February 25th, 2015 4:53am

Yes, I corrected that.  Ed, thanks for your suggestions thus far; however, I am still in the same scenario.  Any other suggestions to look at? Outlook client connection logs?

Free Windows Admin Tool Kit Click here and download it now
February 25th, 2015 3:02pm

From my experience the Outlook logs are unreadable by anyone except Microsoft Support.

If you want to post more details here, I can look at them.  I suspect you have a mistyped URL somewhere or a missing hostname in your certificate.

One thing to consider is to use the same certificate for both sites with all the names in it.

February 25th, 2015 5:18pm

Is it possible that you're using a hardware load balancer that's configured for SSL offloading and the load balancer has the wrong certificate?  Can you reproduce the certificate warning with OWA?  If so, try pointing mail.siteb.domain.com to one of the servers with a hosts file entry and then see if OWA returns the same certificate warning.  Try pointing it to the other server as well.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2015 9:53pm

Hi Ed,

No type of load balancer.  OWA on siteb works and does not show the certificate warning.  Basically, two different URLs with CAS redirection


March 9th, 2015 4:47pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics