Solved

Migration of Exchange 2007 on SBS 2008 to Exchange 2010 Activesync issue

Posted on 2012-03-22
11
745 Views
Last Modified: 2012-04-05
I followed the instructions in the attached link: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_25005312.html to migrate Exchange 2007 running on Windows SBS 2008 to Exchange 2010 running on Windows Server 2008 R2 on a completely separate server.

Nearly everything is working correctly except for Activesync. When trying to connect a device via Activesync, the automatic configuration option fails. According to the log on the device, there appears to be an issue with the certificate:

"checking certificate...checking to see if server is self-signed:
https://remote.mydomain.com Server cert not trusted, setting accept all certs
Checking Activesync with SSL...
ActiveSync location returned HTTP code 404: Not Found
ActiveSync version check returned negative, but still trying for 12.1"

Also, each time a user opens Outlook, they are prompted with a security alert. The security alert indicates that the name on security certificate is invalid or does not match the name of the site.

As info, the certificate we are using is NOT a self-signed certificate. We were using a go-Daddy certificate on the SBS server. The external web address of the old SBS exchange server, remote.mydomain.com, was simply re-assigned to the new exchange server. As such, I rekeyed the certificate last night. I generated a request from the Exchange 2010 server and used that request to rekey the certificate. After installing the certificate, I configured the IIS service to use this newly rekeyed certificate.

I'm sure I've missed something but I'm at a loss at this point. Certificates are not my expertise!
0
Comment
Question by:dsurrett2
  • 6
  • 5
11 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
Comment Utility
The issue is likely caused by Autodiscover being configured to use a different host name than your certificate contains. Follow the instructions here: http://www.thirdtier.net/2011/06/setting-up-autodiscover-for-sbs-2011/ and see if that helps.
0
 

Author Comment

by:dsurrett2
Comment Utility
I added the SRV record to my public DNS server and that didn't seem to make a difference. We did not have any issues with this prior to migrating from Exchange 2007/SBS 2008 to Exchange 2010/Server 2008 R2. Prior to the migration, we were not using any autodiscover SRV record and the activesync clients connected just fine.

In addition, we are still getting a security alert in Outlook complaining about the name in the security certificate each time Outlook opens. This occurs even for Outlook clients that are connected directly to the Exchange 2010 server on the same LAN/Domain. I wouldn't think these clients are using Autodiscover, are they?
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
Comment Utility
Outlook clients after 2003 utilize Autodiscover for a lot of different purposes. You may also need to set the autodiscover virtual directory to use the appropriate URL.

set-autodiscovervirtualdirectory -internalurl "https://remote.mydomain.com/autodiscover/autodiscover.html" -externalurl "https://remote.mydomain.com/autodiscover/autodiscover.xml"

Also note that changes to your Public DNS settings may actually take a good bit of time to take affect depending on TTLs.
0
 

Author Comment

by:dsurrett2
Comment Utility
Please forgive my exchange "newbie-ness"... the Exchange Mgmt shell command is prompting me for an Identity when I run the above command. What is the identity value supposed to be?
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
Put get-autodiscovervirtualdirectory | in front of that line and that should take care of it.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:dsurrett2
Comment Utility
Ok, that helped. When I run get-autodiscovervirtualdirectory, I can see the url is populated for the old server (still) and now the new server is populated as well. They both point to the same external url.

How do I get rid of the url info for the old server?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Is the old server still online? If not, you might need to clear out the server information in ADSIEdit. Open ADSIEdit, connect to Configuration, go to Services\Microsoft Exchange\First Organization\Administrative Groups\Exchange Administrative Group (FYDIBOHF23SPDLT)\Servers
Then remove any servers there that no longer exist. If the server *is* still online, the Virtual directories for that server will exist until it's taken offline or Exchange 2007 is removed from the server (in the case of SBS 2008, Exchange *can't* be removed)
0
 

Author Comment

by:dsurrett2
Comment Utility
The Exchange server is still online. I can't uninstall Exchange because it keeps telling me I have a public folder database in the second storage group. Try as I may to remove this database, EMC will not let me.

So, basically, what you are telling me is that I won't have a fully operational Exchange 2010 until I completely remove the SBS server from the domain?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Yeah, pretty much. SBS likes to control the world. But what you have should be *functional*, just not optimum and probably not supported by MS. That's why SBS is so cheap. If you have a full version of Exchange, you'll also need to deploy a full Windows 2008 DC to manage AD for it.
0
 

Author Comment

by:dsurrett2
Comment Utility
I may not have been clear in my opening rambling but just to clarify, I have Exchange 2010 already installed on a separate server that is running Windows Server 2008R2. This new server is a domain controller already.

When I installed Exchange 2010, it automatically recognized Exchange 2007 on the SBS server and I was able to migrate all the mailboxes and users to Exchange 2010. However, I cannot uninstall Exchange 2007 and cannot remove the external url link (which happens to be the same as my new server).
0
 

Author Comment

by:dsurrett2
Comment Utility
So, in the end, the problem I was having with Activesync turned out to be a NAT policy issue on the firewall. However, all the above suggestions were helpful as well and were all things I needed to check/validate anyway.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now