After outlook is connected Getting security alert for self signed cert but referencing a branch exchange server

Hi All

We have an exchange 2010 setup consisting of 3 mailbox servers in a DAG and a 2 node HT / CAS NLB that is all based at our London HQ (which is where i am based)

We also have a branch server in our Hong Kong office that is a single server running the HT / CAS / Mailbox roles, although currently it has no mailboxes as they are all still on databases in our DAG

When i open outlook on some machines i have noticed that about 30 seconds to a minute after the profile has connected i get a security alert telling me the security certificate was issues by a company you have not chosen to trust, an its referencing the standalone exchange server we have in our HK office.

Security Alert after outlook connects
I can't work out why it would be trying to connect me to that remote server as there is nothing on it, i did an rpcdiag and verified for mail i am connecting to our NLB FQDN in london and for public folders i am also connecting to a mailbox server in London.
I have checked the OAB and that is on the 3 Mailbox servers in London

If i click yes to proceed everything works fine and i dont have any issues or get prompted for anything else until i have to restart outlook, i would just like to understand why.

Anybody have any suggestions

Thanks
LVL 5
ncomperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
It will be connected to Autodiscover most likely.
Do you have the two sites in different AD sites?

Doing an Outlook Autodiscover test (hold down ctrl while right clicking on the icon in the system tray) could give you an indication of what is happening.

Simon.
ncomperAuthor Commented:
Hi Simon

Thanks for the help, you are correct, i see in the log tab the below 3 lines, we have one other branch office in the US with a single server with HT/CAS/Mailbox roles installed, again not actually used, in the autodiscover log i also see autodiscover entries for this server although i dont get any alerts for it.

entry in autodiscover log
Why would autodiscover be connecting to remote branch servers?

Thanks
Simon Butler (Sembee)ConsultantCommented:
That goes to my first post - AD Sites configuration.
Autodiscover is AD site aware. Therefore if you have your entire environment in a single AD site, then each server with the CAS role will be publishing its own autodiscover information to the domain - in effect you have an "Autodiscover war".

You can see the values being published thus:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Autodiscover is published to the domain at regular intervals by the server, therefore depending on which one last published will depend on the server the client queries.

The fix is multiple part.

1. Get your AD sites and services configured correctly - correct subnets etc.
2. Sort out SSL certificates for those CAS role holders. They should be trusted and have a unique URL internally and externally. You may have to use a split DNS system for that.
3. Correct the URL on the value I have written above so that the correct host name (matching the SSL certificate) is set.

There are various strategies to the above - you could have a host name per server, or you could go per site, or even a single host name per the entire Forest. I have seen all three done. It very much depends on bandwidth, how many users and personal preference.

Simon.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

ncomperAuthor Commented:
Thanks Simon

I have checked our AD sites and the Subnet that the HK exchange server is on is configured on the HK AD site,

We have 2 sites in London, each has its own AD site, the subnets are correctly associated with the relevant site.

The site that i am seeing this message come up on does not have any exchange servers, just a DC, the other london site has all our Kit.

Could it be that because there is no onsite exchange server it is just connecting to any exchange server out there rather than the main London site?

The way the AD links are setup is that there is site link between each remote sites and our main London HQ site, in a Hub and spoke model so based upon that i i would have expected any connections to have been directed to the exchange servers there rather than in Hong Kong

Thanks again

Nick
Simon Butler (Sembee)ConsultantCommented:
If there is no Exchange server in the AD site then the client is going to query the first one that responds.
Therefore you need to ensure that all servers with the CAS role are configured correctly - so trusted SSL certificate and valid host name - even if this means they are using the same host name as another site.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ncomperAuthor Commented:
Excellent as always, Thanks Simon
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.