Solved

End users unable to connect to exchange (via outlook 2003-2010) since Exchange server move and IP change

Posted on 2012-03-13
14
546 Views
Last Modified: 2012-08-13
I moved my server from my data center to our in house server room last week.  In the process, the server's internal IP address changed from 192.168.0.20 to 192.168.1.20.  Our external IP remained the same, we just changed ip mappings on our router to route to the new IP.

Since then we've been working fine except for:
1) External Users in Outlook 2003-2010 - keep getting prompted for user/pass.  After a minute there is an error dialog with the message: There is a problem with the proxy server's security certificate.  The name on the security certificate is invalid or does not match the name of the target site mail.____.com.  Outlook is unable to connect to the proxy server. (Error Code 0)

2) iOS users and Android users unable to get email.  There is no descriptive error, but I'm sure its related to the issue above.

I'm running Exchange 2003 on Windows Server 2003 (Standard).
I have verified that my certificate (self assigned) has not expired.

Any help would be appreciated, I've got the President and Owner without email and they aren't happy to say the least.

Thanks in advance.

Screenshot of error message in Outlook
0
Comment
Question by:matpancha
  • 7
  • 3
  • 2
  • +2
14 Comments
 

Expert Comment

by:nullvalue888
ID: 37716739
The error says exactly what you needed to do. You have to check your security certificate. Due do the transfer you did the security certificate is intended for the old IP or your data center IP now you have get a new security certificate for your home server IP.
0
 
LVL 41

Expert Comment

by:Amit
ID: 37716746
Did you tried to reconfigure the profile again and check if that works.
0
 

Author Comment

by:matpancha
ID: 37716798
@nullvalue - the public ip hasn't hanged, only internal LAN. Data center and office are on same internal ip range. We've also confirmed cert hasn't expired and doesn't have incorrect up. It actually has the FQDN , not ip address entered in it.

@amit - yes I've tried recreating profiles. It doesn't work when outside the office (I'm testing by tethering my laptop to mobile) bc it can't get past authentication.

Everything points me back to the cert but I'm tryin to avoid reissuing the cert if I can. It's a last resort for me due to having to reissue to everyone.
0
 
LVL 8

Expert Comment

by:thomasdavis
ID: 37716873
Before if you would put 192.168.0.20/owa  it should go to the exchange site so in order for this to work locally without a cert error the ip would have to be located on the cert or in the thumbprint that was created somewhere also.
0
 

Author Comment

by:matpancha
ID: 37717044
@thomas - we've used mail._____.com to get to webmail (OWA) - its always been configured for FQDN, not IP.  We have routing configured on the routers to deal mapping the FQDN to the local IPs, and have verified that these are correct.
0
 

Author Comment

by:matpancha
ID: 37717886
Adding on to this -

We discovered that our internal DNS servers were pointing to the old LAN IPs, that's been updated BUT still hasn't resolved the above issues.

Outside of reissuing the certificate - any ideas?  reissuing the cert is my last resort.

Thanks!
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37718786
firstly i would be running the exchange connectivity test https://www.testexchangeconnectivity.com/ to ensure every thing outside is good.

try putting in an entry into the hosts file on a computer that is having the prolem with
mail.yourcompany.com    192.168.1.20

then command prompt
ipconfig /flushdns

Then try, if this fixes it then it will be a DNS issue that you may have allready resolved, but may take time for the change to propogate to the clients cached entries. you could alter the logon scripts to flush their cache ( ipconfig /flushdns) and then they would just need to log off and back on.

Cheers
Andrew
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:matpancha
ID: 37719975
@andrewjdavis
We have ensured that the cache has been flushed each time and confirmed via dcdiag and netdiag that it is showing the proper dns resolution, but still no luck.
We've decided to change the IP back to its old IP and move it back to the Datacenter, which in theory should resolve the issue, but it does not, the problem remains and we are still unable to connect via external connections (outlook anywhere, activesync etc) though owa does work. we are about to reissue a new certificate as a last ditch effort, but considering that the old certificate was using an fqdn, not a static ip, i dont think it will do any good.
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37720048
what did https://www.testexchangeconnectivity.com/  come up with?

cheers
0
 

Author Comment

by:matpancha
ID: 37720874
Testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      ExRCA is attempting to test Autodiscover for testaccount@*****.com.
       Testing Autodiscover failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://*****.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name *****.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: ***.***.***.***
      Testing TCP port 443 on host *****.com to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       A network error occurred while communicating with the remote host.
      Attempting to test potential Autodiscover URL https://autodiscover.*****.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.*****.com in DNS.
       The host name couldn't be resolved.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host autodiscover.*****.com couldn't be resolved in DNS InfoDomainNonexistent.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.*****.com in DNS.
       The host name couldn't be resolved.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host autodiscover.*****.com couldn't be resolved in DNS InfoDomainNonexistent.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.*****.com in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve it
0
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37720929
Follow the recommendations for fixes.
0
 
LVL 8

Expert Comment

by:thomasdavis
ID: 37720939
0
 

Accepted Solution

by:
matpancha earned 0 total points
ID: 37802957
We ended up calling Microsoft support - 14 hours later they resolved the issue by modifying security settings.  No logic to the fix, but its working now.
0
 

Author Closing Comment

by:matpancha
ID: 37820892
wasn't a community provided solution and I ended up goign to MS support for assistance.  It was a one off issue.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Outlook Free & Paid Tools
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now