Solved

Availability service Exchange 2007

Posted on 2011-02-16
12
234 Views
Last Modified: 2012-08-13
We have 2 cas servers one internet facing one is internal.
autodiscover is working this question is more of trying to understand..

our internal domain is different than our external domain name.
so internal alias would be user@test.lcl
external would be user@testexternal.com


From a computer added to the domain and connected to network if i run the test auto-configuration using my email address user@testexternal.com  it populates with the external urls correctly using the intenet facing cas server.

If i use my ad credentials user@test.lcl   it pulls the services from the internal client access server not the internet facing cas server.

I do not understand how outlook/ exchange determines which CAS server to use internally or if there is a way to specify one over the other ?
Why doesnt it use the external facing cas server ?

the reason i ask is if we have a computer that is not a member of the domain but is on the network  when a user with a valid account tryies to authenticate and open outlook they are getting a cert error to trust the cert. which is self signed cert of the internal cas server rather than hitting the internet facing cas server.
if the computer external and not connected to the domain trys to access outlook using autodiscover or outlook anywhere it works fine.
0
Comment
Question by:mndthegap1
  • 8
  • 4
12 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909490
Basically the non domain joined client can't trust the internal cert because it is not in the same domain as the CAS server. Have you got internal DNS for your external domain name that resolves your cert name to the internal IP address of your Internet CAS server? Also add a SRV record to that internal zone that points at your internal Internet facing CAS server.
0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 34909539
So in short:
1.) create the testexternal.com DNS zone on your internal DNS
2.) add any names (A records)  you need to resolve internally. Like mail.testexternal.com
3.) add a SRV record in the zone you created in Step 1, pointing at your Internet CAS server, where the name is internal or resolves to the internal IP address

More info on SRV record:
http://support.microsoft.com/kb/940881
0
 

Author Comment

by:mndthegap1
ID: 34909670
we do have dns configured with both intenal and external dns zones.
i do have an A record for my mail.testexternal.com pointing to the internet facing cas server.
i will try adding the srv record thank you.

but can you explain or let me know how when internally which CAS server is selected ?
i just cant grasp that
thanks for the help.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:mndthegap1
ID: 34909751
one other thing. i need to add the SRV record to the internal dns zone correct
the test.lcl zone ?  because if i am using the internal credentials alias@test.lcl

or do i need to add it to both the internal test.lcl zone and my external zone ?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909759
A non domain joined client will resort to DNS to find Autodiscover service and the URLs

The SRV article I posted will explain that. Whereas the domain joined client will query AD for Service Connection Points and will connect to whichever CAS server in it's AD site was created first.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909855
More info on the Autodiscover service:
http://technet.microsoft.com/en-us/library/bb332063(v=exchg.80).aspx

Add the SRV record to your internal DNS testexternal.com zone, that way if someone internal uses a nondomain joined machine they will get connected to exchange with no cert error.
0
 

Author Comment

by:mndthegap1
ID: 34909871
okay so if the internal cas server was created in the site before the internet facing cas server outlook will attempt to try that server first then the intenet facing as a 2ndary is basically how it works ?

but i get the srv record fix o i will do that.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909898
I thought you said that @test.lcl worked correctly? Wouldn't be easier for users to enter their external email address and password?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34909946
Yep, you got the idea, have a read of the whitepaper it might explain things a bit better or make them a bit clearer...
0
 

Author Comment

by:mndthegap1
ID: 34910030
thanks so much for your help i appreciate it.
one last question regarding it. is there a way to modify the SCP list to change the order ?
or would that require using adsi edit or what not.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34910141
ADSiedit and reinstalling your CAS server ;-)
Are both of your CAS servers in the same AD site?
Upgrade to exchange 2010 for CAS arrays
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34951951
Thanks for the points, did the SRV record and internal DNS resolve your issue?
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out what you should include to make the best professional email signature for your organization.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question