Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

After outlook is connected Getting security alert for self signed cert but referencing a branch exchange server

Posted on 2014-01-08
6
Medium Priority
?
264 Views
Last Modified: 2014-01-13
Hi All

We have an exchange 2010 setup consisting of 3 mailbox servers in a DAG and a 2 node HT / CAS NLB that is all based at our London HQ (which is where i am based)

We also have a branch server in our Hong Kong office that is a single server running the HT / CAS / Mailbox roles, although currently it has no mailboxes as they are all still on databases in our DAG

When i open outlook on some machines i have noticed that about 30 seconds to a minute after the profile has connected i get a security alert telling me the security certificate was issues by a company you have not chosen to trust, an its referencing the standalone exchange server we have in our HK office.

Security Alert after outlook connects
I can't work out why it would be trying to connect me to that remote server as there is nothing on it, i did an rpcdiag and verified for mail i am connecting to our NLB FQDN in london and for public folders i am also connecting to a mailbox server in London.
I have checked the OAB and that is on the 3 Mailbox servers in London

If i click yes to proceed everything works fine and i dont have any issues or get prompted for anything else until i have to restart outlook, i would just like to understand why.

Anybody have any suggestions

Thanks
0
Comment
Question by:ncomper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39766742
It will be connected to Autodiscover most likely.
Do you have the two sites in different AD sites?

Doing an Outlook Autodiscover test (hold down ctrl while right clicking on the icon in the system tray) could give you an indication of what is happening.

Simon.
0
 
LVL 5

Author Comment

by:ncomper
ID: 39767430
Hi Simon

Thanks for the help, you are correct, i see in the log tab the below 3 lines, we have one other branch office in the US with a single server with HT/CAS/Mailbox roles installed, again not actually used, in the autodiscover log i also see autodiscover entries for this server although i dont get any alerts for it.

entry in autodiscover log
Why would autodiscover be connecting to remote branch servers?

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39767611
That goes to my first post - AD Sites configuration.
Autodiscover is AD site aware. Therefore if you have your entire environment in a single AD site, then each server with the CAS role will be publishing its own autodiscover information to the domain - in effect you have an "Autodiscover war".

You can see the values being published thus:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Autodiscover is published to the domain at regular intervals by the server, therefore depending on which one last published will depend on the server the client queries.

The fix is multiple part.

1. Get your AD sites and services configured correctly - correct subnets etc.
2. Sort out SSL certificates for those CAS role holders. They should be trusted and have a unique URL internally and externally. You may have to use a split DNS system for that.
3. Correct the URL on the value I have written above so that the correct host name (matching the SSL certificate) is set.

There are various strategies to the above - you could have a host name per server, or you could go per site, or even a single host name per the entire Forest. I have seen all three done. It very much depends on bandwidth, how many users and personal preference.

Simon.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 5

Author Comment

by:ncomper
ID: 39768764
Thanks Simon

I have checked our AD sites and the Subnet that the HK exchange server is on is configured on the HK AD site,

We have 2 sites in London, each has its own AD site, the subnets are correctly associated with the relevant site.

The site that i am seeing this message come up on does not have any exchange servers, just a DC, the other london site has all our Kit.

Could it be that because there is no onsite exchange server it is just connecting to any exchange server out there rather than the main London site?

The way the AD links are setup is that there is site link between each remote sites and our main London HQ site, in a Hub and spoke model so based upon that i i would have expected any connections to have been directed to the exchange servers there rather than in Hong Kong

Thanks again

Nick
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39770833
If there is no Exchange server in the AD site then the client is going to query the first one that responds.
Therefore you need to ensure that all servers with the CAS role are configured correctly - so trusted SSL certificate and valid host name - even if this means they are using the same host name as another site.

Simon.
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39775984
Excellent as always, Thanks Simon
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question