Solved

After outlook is connected Getting security alert for self signed cert but referencing a branch exchange server

Posted on 2014-01-08
6
255 Views
Last Modified: 2014-01-13
Hi All

We have an exchange 2010 setup consisting of 3 mailbox servers in a DAG and a 2 node HT / CAS NLB that is all based at our London HQ (which is where i am based)

We also have a branch server in our Hong Kong office that is a single server running the HT / CAS / Mailbox roles, although currently it has no mailboxes as they are all still on databases in our DAG

When i open outlook on some machines i have noticed that about 30 seconds to a minute after the profile has connected i get a security alert telling me the security certificate was issues by a company you have not chosen to trust, an its referencing the standalone exchange server we have in our HK office.

Security Alert after outlook connects
I can't work out why it would be trying to connect me to that remote server as there is nothing on it, i did an rpcdiag and verified for mail i am connecting to our NLB FQDN in london and for public folders i am also connecting to a mailbox server in London.
I have checked the OAB and that is on the 3 Mailbox servers in London

If i click yes to proceed everything works fine and i dont have any issues or get prompted for anything else until i have to restart outlook, i would just like to understand why.

Anybody have any suggestions

Thanks
0
Comment
Question by:ncomper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39766742
It will be connected to Autodiscover most likely.
Do you have the two sites in different AD sites?

Doing an Outlook Autodiscover test (hold down ctrl while right clicking on the icon in the system tray) could give you an indication of what is happening.

Simon.
0
 
LVL 5

Author Comment

by:ncomper
ID: 39767430
Hi Simon

Thanks for the help, you are correct, i see in the log tab the below 3 lines, we have one other branch office in the US with a single server with HT/CAS/Mailbox roles installed, again not actually used, in the autodiscover log i also see autodiscover entries for this server although i dont get any alerts for it.

entry in autodiscover log
Why would autodiscover be connecting to remote branch servers?

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39767611
That goes to my first post - AD Sites configuration.
Autodiscover is AD site aware. Therefore if you have your entire environment in a single AD site, then each server with the CAS role will be publishing its own autodiscover information to the domain - in effect you have an "Autodiscover war".

You can see the values being published thus:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Autodiscover is published to the domain at regular intervals by the server, therefore depending on which one last published will depend on the server the client queries.

The fix is multiple part.

1. Get your AD sites and services configured correctly - correct subnets etc.
2. Sort out SSL certificates for those CAS role holders. They should be trusted and have a unique URL internally and externally. You may have to use a split DNS system for that.
3. Correct the URL on the value I have written above so that the correct host name (matching the SSL certificate) is set.

There are various strategies to the above - you could have a host name per server, or you could go per site, or even a single host name per the entire Forest. I have seen all three done. It very much depends on bandwidth, how many users and personal preference.

Simon.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 5

Author Comment

by:ncomper
ID: 39768764
Thanks Simon

I have checked our AD sites and the Subnet that the HK exchange server is on is configured on the HK AD site,

We have 2 sites in London, each has its own AD site, the subnets are correctly associated with the relevant site.

The site that i am seeing this message come up on does not have any exchange servers, just a DC, the other london site has all our Kit.

Could it be that because there is no onsite exchange server it is just connecting to any exchange server out there rather than the main London site?

The way the AD links are setup is that there is site link between each remote sites and our main London HQ site, in a Hub and spoke model so based upon that i i would have expected any connections to have been directed to the exchange servers there rather than in Hong Kong

Thanks again

Nick
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39770833
If there is no Exchange server in the AD site then the client is going to query the first one that responds.
Therefore you need to ensure that all servers with the CAS role are configured correctly - so trusted SSL certificate and valid host name - even if this means they are using the same host name as another site.

Simon.
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39775984
Excellent as always, Thanks Simon
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video discusses moving either the default database or any database to a new volume.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question