Solved

After outlook is connected Getting security alert for self signed cert but referencing a branch exchange server

Posted on 2014-01-08
6
242 Views
Last Modified: 2014-01-13
Hi All

We have an exchange 2010 setup consisting of 3 mailbox servers in a DAG and a 2 node HT / CAS NLB that is all based at our London HQ (which is where i am based)

We also have a branch server in our Hong Kong office that is a single server running the HT / CAS / Mailbox roles, although currently it has no mailboxes as they are all still on databases in our DAG

When i open outlook on some machines i have noticed that about 30 seconds to a minute after the profile has connected i get a security alert telling me the security certificate was issues by a company you have not chosen to trust, an its referencing the standalone exchange server we have in our HK office.

Security Alert after outlook connects
I can't work out why it would be trying to connect me to that remote server as there is nothing on it, i did an rpcdiag and verified for mail i am connecting to our NLB FQDN in london and for public folders i am also connecting to a mailbox server in London.
I have checked the OAB and that is on the 3 Mailbox servers in London

If i click yes to proceed everything works fine and i dont have any issues or get prompted for anything else until i have to restart outlook, i would just like to understand why.

Anybody have any suggestions

Thanks
0
Comment
Question by:ncomper
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39766742
It will be connected to Autodiscover most likely.
Do you have the two sites in different AD sites?

Doing an Outlook Autodiscover test (hold down ctrl while right clicking on the icon in the system tray) could give you an indication of what is happening.

Simon.
0
 
LVL 5

Author Comment

by:ncomper
ID: 39767430
Hi Simon

Thanks for the help, you are correct, i see in the log tab the below 3 lines, we have one other branch office in the US with a single server with HT/CAS/Mailbox roles installed, again not actually used, in the autodiscover log i also see autodiscover entries for this server although i dont get any alerts for it.

entry in autodiscover log
Why would autodiscover be connecting to remote branch servers?

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39767611
That goes to my first post - AD Sites configuration.
Autodiscover is AD site aware. Therefore if you have your entire environment in a single AD site, then each server with the CAS role will be publishing its own autodiscover information to the domain - in effect you have an "Autodiscover war".

You can see the values being published thus:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Autodiscover is published to the domain at regular intervals by the server, therefore depending on which one last published will depend on the server the client queries.

The fix is multiple part.

1. Get your AD sites and services configured correctly - correct subnets etc.
2. Sort out SSL certificates for those CAS role holders. They should be trusted and have a unique URL internally and externally. You may have to use a split DNS system for that.
3. Correct the URL on the value I have written above so that the correct host name (matching the SSL certificate) is set.

There are various strategies to the above - you could have a host name per server, or you could go per site, or even a single host name per the entire Forest. I have seen all three done. It very much depends on bandwidth, how many users and personal preference.

Simon.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 5

Author Comment

by:ncomper
ID: 39768764
Thanks Simon

I have checked our AD sites and the Subnet that the HK exchange server is on is configured on the HK AD site,

We have 2 sites in London, each has its own AD site, the subnets are correctly associated with the relevant site.

The site that i am seeing this message come up on does not have any exchange servers, just a DC, the other london site has all our Kit.

Could it be that because there is no onsite exchange server it is just connecting to any exchange server out there rather than the main London site?

The way the AD links are setup is that there is site link between each remote sites and our main London HQ site, in a Hub and spoke model so based upon that i i would have expected any connections to have been directed to the exchange servers there rather than in Hong Kong

Thanks again

Nick
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39770833
If there is no Exchange server in the AD site then the client is going to query the first one that responds.
Therefore you need to ensure that all servers with the CAS role are configured correctly - so trusted SSL certificate and valid host name - even if this means they are using the same host name as another site.

Simon.
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39775984
Excellent as always, Thanks Simon
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now