Exchange 2003 to 2010 problems

I have installed an Exchange 2010 server with intent to replace an Exchange 2003 server.  I have moved my mailbox to the 2010 server.  I keep getting a "Security Alert" in Outlook.  The name on the security certificate is invalid or does not match the name of the site.
The name mentioned is mail.domain.com, which is what I want.
In DNS, I have an A record for mail, with the IP address of my 2010 server.

I also am unable to get smartphones to work with the new setup.

My firewall is set to translate mail.domain.com to the new server.

I assume my certificate, I went through the process of reissuing the certificate.  I believe it is correct.
HaulnSSAsked:
Who is Participating?
 
JullezConnect With a Mentor Network EngineerCommented:
It is different from regular certificate, you need Unified Communication certificate, which will allow you to use more than one name for your server. Do not use wildcard.

You are Generating a Certificate Signing Request (CSR) - Exchange Server 2010. You are not issuing a domain certificate...
Use the link I gave you above to issue, then use the second one to install.
0
 
JullezNetwork EngineerCommented:
Are you using a self issued certificate or a third party CA certificate?

On a client - hold control and right click on the outlook icon, run the "test Email Auto-configuration", "use autodiscover"

This should tell you which server its trying to connect to etc.

The Exchange Web Service (EWS) is the web service that allows access to the Out of Office service. If either the internal or external URL for the EWS is missing or incorrect, OOF will fail and other services may not work as expected. Using Exchange Management Shell, check the URLs assigned to the web service virtual directory using the Get-WebServicesVirtualDirectory command.


You need to make sure that you configure EWS, Autodiscover, OWA, OAB, ECP correctly.

Post if you need help or results so we could continue.
0
 
HaulnSSAuthor Commented:
I am using GoDaddy to issue the certificate.  

I tried the control, right click on the Outlook icon, no luck.  Control or no Control produce the same result

I don't seem to know where to look for the EWS internal/external.  I have looked at ecp, owa, Activesync...etc.  ECP

Running the command you suggested, produces: Server - Inhouse server name, InternalUrl https://mail.domain.com/EWS/Exchange.asmx
That is what I want it to be....

FYI, OWA in house works fine, using both servername.domain.com and mail.domain.com

Thanks for help!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
JullezNetwork EngineerCommented:
On the outlook icon on the bottom bar near the clock when outlook is running.

outlook  - rightclick with control for auto config
Did you setup split dns on your DNS server?
Assuming godaddy certificate was issued with the new requirements, you could not use your internal name for your server, so on the certificate your external name was used. you would need to setup a new dns zone on your dns server that will list all of your external services for your internal users.

For EWS: Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl

To set: Set-WebServicesVirtualDirectory -Identity “casserver1\EWS (Default Web Site)” -InternalUrl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$true

same for external if needed.

Get-AutodiscoverVirtualDirectory

To see the settings

[PS] C:\Windows\system32>Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

To fix:

Set-ClientAccessServer -Identity casserver -AutoDiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml


Now for the Outlook Web Apps, Exchange Control Panel, Exchange ActiveSync, Offline Address book…you have to go to Exchange Management Console (EMC)
1.Goto one of the CAS server
2.Open EMC
3.Goto Server Configuration
4.Select Client Access
5.On the Middle top pannel, you can see the CAS server listed.
0
 
HaulnSSAuthor Commented:
Ah....that....LOL

Got it....  what do I want to see here on the Test E-mail AutoConfiguration?
Internal is servername.domain.com
External is mail.domain.com

Ok...  EWS shows the same internal/external mail.domain.com

Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Shows Identity: Server name, AutodiscoverInternal: mail.domain.com
I ran the fix you attached

OWA
Internal: servername.domain.com
External: mail.domain.com

ECP
Same as OWA

Exchange ActiveSync
Both: mail.domain.com

OAB
Both: mail.domain.com
0
 
JullezNetwork EngineerCommented:
Make everything point to your external mail server name and setup split DNS.

Create a new zone on your internal DNS  server domain.com (your external domain)

Create "a" records as needed (you can look at your zone file that is hosted on your domain's Name Server ):

www          A    external IP

mail           A    internal IP
0
 
HaulnSSAuthor Commented:
Just to clarify, OWA and ECP are the only items that need fixed.  Do I need to do anything other than changing them in EMC?

I have DNS setup already.
0
 
JullezNetwork EngineerCommented:
Nope, should be all set if that is the only change.
0
 
HaulnSSAuthor Commented:
Made those changes....still no luck on Outlook not giving error.
0
 
HaulnSSAuthor Commented:
I blew away my email on my phone and tried to set it up again too....no go
0
 
HaulnSSAuthor Commented:
Would Authentication or Permission Groups on the Receive Connectors have any bearing on the phones?

I had to make some changes to those this morning to get email flowing inbound.
0
 
JullezNetwork EngineerCommented:
Although FYI - your outlook users are hitting the internal cas name and will get the error, so you need to change the cas names to match the external certificate name.

So everything should be pointing to the external domain name.
0
 
JullezNetwork EngineerCommented:
For the phones, are you getting an error connecting to the server? There is a setting in AD that could cause it:  http://support.microsoft.com/kb/2579075.
0
 
HaulnSSAuthor Commented:
When trying to setup my phone, I use the same settings I have always used.

Get the following on my Android - Checking incoming server settings....

after several minutes, The server responded with an error.  Check your username and password then try again.
0
 
JullezNetwork EngineerCommented:
Are you seeing any errors on the exchange server when you try to connect with your phone like Event ID 1053 MSExchange ActiveSync?

Try this :

On a Domain Controller, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers

Click on View and Select Advanced Features

Select a mailbox that isn’t working with Active Sync (lets try yours), double click on the account, Select the Security Tab and then the Advanced Button.

Select Exchange Servers, and tick the Include inheritable permissions toggle then Apply and OK.

You might also need to apply the changes from http://support.microsoft.com/kb/2579075

Note: This can happen if the user is a member of any of these groups.

Account Operators
 Administrators
 Backup Operators
 Domain Admins
 Domain Controllers
 Enterprise Admins
 Print Operators
 Read-only Domain Controllers
 Replicator
 Schema Admins
 Server Operators

If your user IS a member of any of these groups, then have their ActiveSync device ready to be configured, as this fix will "revert" back every hour. If you get it connected and working before it reverts you will be fine.

Note: Users and mailbox's created post migration are NOT affected - did you try with a new mailbox?
0
 
HaulnSSAuthor Commented:
FYI, I do get Event ID 1053.  ActiveSync doesn't have sufficient permissions to create container under Active Directory.

Surely this isn't important.....lol   Sorry, a bit of an idiot.
0
 
JullezNetwork EngineerCommented:
Its ok.

Were you able to configure your user with the permissions from above or create a new user and test then?
0
 
HaulnSSAuthor Commented:
After changing the info above, I can now configure my phone to work.

Appreciate the help!

Do you know if there is a way for other smartphones to transition smoothly, or do I have to set them all up again?
0
 
JullezNetwork EngineerCommented:
Just change the inheritance settings for users, all the phones should connect with no issues.
0
 
HaulnSSAuthor Commented:
That has to be done for all users?  I was hoping it was just me, because of admin group.
0
 
JullezNetwork EngineerCommented:
I can look for a script to do it for all the users, do you know how to check with ADSIEdit the AdminCount for your users? If its set to 1 (if the user at some point was a member of the groups mentioned above) then you would have to change it to 0 and then enable the checkbox for inheritance.

I know its a mess, but when moving from 2003 to 2010 these are the issues I ran into, every time.
0
 
HaulnSSAuthor Commented:
That's ok....  So far, no big deal to change security.  I should have a limited number of people that would fall into that group.

I still can't get the original security problem to go away.  Sorry we jumped around on the topics.  Appreciate you hanging with me on this.

I moved another user to the new server as well, they are getting the certificate error as well.

I reran the outlook test and it is looking at mail.domain.com.  My DNS has mail.domain.com and I can ping mail.domain.com and it replies with server address.

I re-issued the certificate with nothing but mail.domain.com, still no luck.
0
 
JullezNetwork EngineerCommented:
What is the error that you are getting on the outlook client? Are you getting the same error on OWA? Can you post an image?
0
 
HaulnSSAuthor Commented:
used Microsoft Remote Connectivity Analyzer

I get an error at Validating the certificate name

Host name mail.domain.com doesn't match any name found on the server certificate CN=domain.com, OU=Domain Control Validated
0
 
HaulnSSAuthor Commented:
No errors in owa yet....been in there for a few minutes.
0
 
JullezNetwork EngineerCommented:
On your exchange, can you see that your certificate is installed properly?

exchange certificate examp
0
 
HaulnSSAuthor Commented:
0
 
JullezNetwork EngineerCommented:
Ok, remove the bottom certificate and move all the services to "GoDaddy" certificate.

Also from outlook client - what is the error you are getting now?
0
 
HaulnSSAuthor Commented:
RCARCA
Done...

Here is error in Remote Connectivity Analyzer

Will get Outlook Error
0
 
HaulnSSAuthor Commented:
0
 
JullezNetwork EngineerCommented:
Silly question, your certificate, how did you issue it?

Did you use this?

http://support.godaddy.com/help/article/6086/generating-a-certificate-signing-request-csr-exchange-server-2010
0
 
HaulnSSAuthor Commented:
Yep, that is how I did it, several times now.  I verified all client names were mail.domain.com.

This last time, I didn't select autodiscover or anything other than OWA, EAS, Web Services, Outlook Anywhere.
I have not selected Legacy Exchange at all.
0
 
HaulnSSAuthor Commented:
I did not do wildcard....FYI
0
 
JullezNetwork EngineerCommented:
On your certificate you have autodiscover.domain.com and mail.dosmain.com then?
And in your dns you have the autodiscover as well correct?
0
 
HaulnSSAuthor Commented:
I did not select autodiscover on the last one.
0
 
JullezNetwork EngineerCommented:
Are you able to reissue the certificate with autodiscover as SAN?
Also have you follow this to install on the server:
http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010

Thank you.
0
 
CubeOverCommented:
Your certificate is issued to a domain, and not to a server.
You need to have CN=mail, DC=domain, DC=com in the "Common Name" field.
Get back to GoDaddy to resolve the issue.

What exactly you put in step 7 of GoDaddy's guide "Common Name"?
0
 
HaulnSSAuthor Commented:
I have followed that article to install the cert....each time.

OK, I am reissuing with autodiscover.domain.com and mail.domain.com listed as domains for the certificate.

I noticed something different this time.  Step 1, after hitting complete, says that I need a Unified Communication certificate.

Is that different from a standard certificate?
0
 
HaulnSSAuthor Commented:
Step 7, I have been using mail.domain.com, everytime.
0
 
CubeOverCommented:
If this is how GoDaddy issues it (CN=domain.com, OU=Domain Control Validated) you might have to use the wildcard then. I would call them up and ask.
0
 
HaulnSSAuthor Commented:
OK, Thank you!  Is there a site you prefer to use?
0
 
CubeOverCommented:
autodiscover.domain.com and mail.domain.com are not domains! They are host names.
I think you need a wildcard for domain.com.
Set Common Name = *.domain.com
Follow the wildcard option.
Leave the rest as before, and keep such certificates secure at all times, no nobody can steal it and use on something like SAP.DOMAIN.COM.
0
 
CubeOverCommented:
STARTSSL.COM offers free cert, you have to have domain control (Administrator@domain.com or root@domain.com)
0
 
HaulnSSAuthor Commented:
Alright, I am done for now, I will check it out in the morning....  Appreciate all the help!
0
 
HaulnSSAuthor Commented:
Great to have your assistance.  Sorry it turned out to be something stupid that I didn't relay correctly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.