Solved

Availability service Exchange 2007

Posted on 2011-02-16
12
236 Views
Last Modified: 2012-08-13
We have 2 cas servers one internet facing one is internal.
autodiscover is working this question is more of trying to understand..

our internal domain is different than our external domain name.
so internal alias would be user@test.lcl
external would be user@testexternal.com


From a computer added to the domain and connected to network if i run the test auto-configuration using my email address user@testexternal.com  it populates with the external urls correctly using the intenet facing cas server.

If i use my ad credentials user@test.lcl   it pulls the services from the internal client access server not the internet facing cas server.

I do not understand how outlook/ exchange determines which CAS server to use internally or if there is a way to specify one over the other ?
Why doesnt it use the external facing cas server ?

the reason i ask is if we have a computer that is not a member of the domain but is on the network  when a user with a valid account tryies to authenticate and open outlook they are getting a cert error to trust the cert. which is self signed cert of the internal cas server rather than hitting the internet facing cas server.
if the computer external and not connected to the domain trys to access outlook using autodiscover or outlook anywhere it works fine.
0
Comment
Question by:mndthegap1
  • 8
  • 4
12 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909490
Basically the non domain joined client can't trust the internal cert because it is not in the same domain as the CAS server. Have you got internal DNS for your external domain name that resolves your cert name to the internal IP address of your Internet CAS server? Also add a SRV record to that internal zone that points at your internal Internet facing CAS server.
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 34909539
So in short:
1.) create the testexternal.com DNS zone on your internal DNS
2.) add any names (A records)  you need to resolve internally. Like mail.testexternal.com
3.) add a SRV record in the zone you created in Step 1, pointing at your Internet CAS server, where the name is internal or resolves to the internal IP address

More info on SRV record:
http://support.microsoft.com/kb/940881
0
 

Author Comment

by:mndthegap1
ID: 34909670
we do have dns configured with both intenal and external dns zones.
i do have an A record for my mail.testexternal.com pointing to the internet facing cas server.
i will try adding the srv record thank you.

but can you explain or let me know how when internally which CAS server is selected ?
i just cant grasp that
thanks for the help.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mndthegap1
ID: 34909751
one other thing. i need to add the SRV record to the internal dns zone correct
the test.lcl zone ?  because if i am using the internal credentials alias@test.lcl

or do i need to add it to both the internal test.lcl zone and my external zone ?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909759
A non domain joined client will resort to DNS to find Autodiscover service and the URLs

The SRV article I posted will explain that. Whereas the domain joined client will query AD for Service Connection Points and will connect to whichever CAS server in it's AD site was created first.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909855
More info on the Autodiscover service:
http://technet.microsoft.com/en-us/library/bb332063(v=exchg.80).aspx

Add the SRV record to your internal DNS testexternal.com zone, that way if someone internal uses a nondomain joined machine they will get connected to exchange with no cert error.
0
 

Author Comment

by:mndthegap1
ID: 34909871
okay so if the internal cas server was created in the site before the internet facing cas server outlook will attempt to try that server first then the intenet facing as a 2ndary is basically how it works ?

but i get the srv record fix o i will do that.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909898
I thought you said that @test.lcl worked correctly? Wouldn't be easier for users to enter their external email address and password?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909946
Yep, you got the idea, have a read of the whitepaper it might explain things a bit better or make them a bit clearer...
0
 

Author Comment

by:mndthegap1
ID: 34910030
thanks so much for your help i appreciate it.
one last question regarding it. is there a way to modify the SCP list to change the order ?
or would that require using adsi edit or what not.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34910141
ADSiedit and reinstalling your CAS server ;-)
Are both of your CAS servers in the same AD site?
Upgrade to exchange 2010 for CAS arrays
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34951951
Thanks for the points, did the SRV record and internal DNS resolve your issue?
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question