Solved

Exchange 2003 to 2010 problems

Posted on 2014-01-27
45
372 Views
Last Modified: 2014-01-28
I have installed an Exchange 2010 server with intent to replace an Exchange 2003 server.  I have moved my mailbox to the 2010 server.  I keep getting a "Security Alert" in Outlook.  The name on the security certificate is invalid or does not match the name of the site.
The name mentioned is mail.domain.com, which is what I want.
In DNS, I have an A record for mail, with the IP address of my 2010 server.

I also am unable to get smartphones to work with the new setup.

My firewall is set to translate mail.domain.com to the new server.

I assume my certificate, I went through the process of reissuing the certificate.  I believe it is correct.
0
Comment
Question by:HaulnSS
  • 24
  • 17
  • 4
45 Comments
 
LVL 5

Expert Comment

by:Jullez
ID: 39813214
Are you using a self issued certificate or a third party CA certificate?

On a client - hold control and right click on the outlook icon, run the "test Email Auto-configuration", "use autodiscover"

This should tell you which server its trying to connect to etc.

The Exchange Web Service (EWS) is the web service that allows access to the Out of Office service. If either the internal or external URL for the EWS is missing or incorrect, OOF will fail and other services may not work as expected. Using Exchange Management Shell, check the URLs assigned to the web service virtual directory using the Get-WebServicesVirtualDirectory command.


You need to make sure that you configure EWS, Autodiscover, OWA, OAB, ECP correctly.

Post if you need help or results so we could continue.
0
 

Author Comment

by:HaulnSS
ID: 39813282
I am using GoDaddy to issue the certificate.  

I tried the control, right click on the Outlook icon, no luck.  Control or no Control produce the same result

I don't seem to know where to look for the EWS internal/external.  I have looked at ecp, owa, Activesync...etc.  ECP

Running the command you suggested, produces: Server - Inhouse server name, InternalUrl https://mail.domain.com/EWS/Exchange.asmx
That is what I want it to be....

FYI, OWA in house works fine, using both servername.domain.com and mail.domain.com

Thanks for help!
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813297
On the outlook icon on the bottom bar near the clock when outlook is running.

outlook  - rightclick with control for auto config
Did you setup split dns on your DNS server?
Assuming godaddy certificate was issued with the new requirements, you could not use your internal name for your server, so on the certificate your external name was used. you would need to setup a new dns zone on your dns server that will list all of your external services for your internal users.

For EWS: Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl

To set: Set-WebServicesVirtualDirectory -Identity “casserver1\EWS (Default Web Site)” -InternalUrl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$true

same for external if needed.

Get-AutodiscoverVirtualDirectory

To see the settings

[PS] C:\Windows\system32>Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

To fix:

Set-ClientAccessServer -Identity casserver -AutoDiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml


Now for the Outlook Web Apps, Exchange Control Panel, Exchange ActiveSync, Offline Address book…you have to go to Exchange Management Console (EMC)
1.Goto one of the CAS server
2.Open EMC
3.Goto Server Configuration
4.Select Client Access
5.On the Middle top pannel, you can see the CAS server listed.
0
 

Author Comment

by:HaulnSS
ID: 39813378
Ah....that....LOL

Got it....  what do I want to see here on the Test E-mail AutoConfiguration?
Internal is servername.domain.com
External is mail.domain.com

Ok...  EWS shows the same internal/external mail.domain.com

Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Shows Identity: Server name, AutodiscoverInternal: mail.domain.com
I ran the fix you attached

OWA
Internal: servername.domain.com
External: mail.domain.com

ECP
Same as OWA

Exchange ActiveSync
Both: mail.domain.com

OAB
Both: mail.domain.com
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813417
Make everything point to your external mail server name and setup split DNS.

Create a new zone on your internal DNS  server domain.com (your external domain)

Create "a" records as needed (you can look at your zone file that is hosted on your domain's Name Server ):

www          A    external IP

mail           A    internal IP
0
 

Author Comment

by:HaulnSS
ID: 39813440
Just to clarify, OWA and ECP are the only items that need fixed.  Do I need to do anything other than changing them in EMC?

I have DNS setup already.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813455
Nope, should be all set if that is the only change.
0
 

Author Comment

by:HaulnSS
ID: 39813457
Made those changes....still no luck on Outlook not giving error.
0
 

Author Comment

by:HaulnSS
ID: 39813460
I blew away my email on my phone and tried to set it up again too....no go
0
 

Author Comment

by:HaulnSS
ID: 39813463
Would Authentication or Permission Groups on the Receive Connectors have any bearing on the phones?

I had to make some changes to those this morning to get email flowing inbound.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813467
Although FYI - your outlook users are hitting the internal cas name and will get the error, so you need to change the cas names to match the external certificate name.

So everything should be pointing to the external domain name.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813476
For the phones, are you getting an error connecting to the server? There is a setting in AD that could cause it:  http://support.microsoft.com/kb/2579075.
0
 

Author Comment

by:HaulnSS
ID: 39813520
When trying to setup my phone, I use the same settings I have always used.

Get the following on my Android - Checking incoming server settings....

after several minutes, The server responded with an error.  Check your username and password then try again.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813532
Are you seeing any errors on the exchange server when you try to connect with your phone like Event ID 1053 MSExchange ActiveSync?

Try this :

On a Domain Controller, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers

Click on View and Select Advanced Features

Select a mailbox that isn’t working with Active Sync (lets try yours), double click on the account, Select the Security Tab and then the Advanced Button.

Select Exchange Servers, and tick the Include inheritable permissions toggle then Apply and OK.

You might also need to apply the changes from http://support.microsoft.com/kb/2579075

Note: This can happen if the user is a member of any of these groups.

Account Operators
 Administrators
 Backup Operators
 Domain Admins
 Domain Controllers
 Enterprise Admins
 Print Operators
 Read-only Domain Controllers
 Replicator
 Schema Admins
 Server Operators

If your user IS a member of any of these groups, then have their ActiveSync device ready to be configured, as this fix will "revert" back every hour. If you get it connected and working before it reverts you will be fine.

Note: Users and mailbox's created post migration are NOT affected - did you try with a new mailbox?
0
 

Author Comment

by:HaulnSS
ID: 39813585
FYI, I do get Event ID 1053.  ActiveSync doesn't have sufficient permissions to create container under Active Directory.

Surely this isn't important.....lol   Sorry, a bit of an idiot.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813593
Its ok.

Were you able to configure your user with the permissions from above or create a new user and test then?
0
 

Author Comment

by:HaulnSS
ID: 39813604
After changing the info above, I can now configure my phone to work.

Appreciate the help!

Do you know if there is a way for other smartphones to transition smoothly, or do I have to set them all up again?
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813626
Just change the inheritance settings for users, all the phones should connect with no issues.
0
 

Author Comment

by:HaulnSS
ID: 39813631
That has to be done for all users?  I was hoping it was just me, because of admin group.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813702
I can look for a script to do it for all the users, do you know how to check with ADSIEdit the AdminCount for your users? If its set to 1 (if the user at some point was a member of the groups mentioned above) then you would have to change it to 0 and then enable the checkbox for inheritance.

I know its a mess, but when moving from 2003 to 2010 these are the issues I ran into, every time.
0
 

Author Comment

by:HaulnSS
ID: 39813719
That's ok....  So far, no big deal to change security.  I should have a limited number of people that would fall into that group.

I still can't get the original security problem to go away.  Sorry we jumped around on the topics.  Appreciate you hanging with me on this.

I moved another user to the new server as well, they are getting the certificate error as well.

I reran the outlook test and it is looking at mail.domain.com.  My DNS has mail.domain.com and I can ping mail.domain.com and it replies with server address.

I re-issued the certificate with nothing but mail.domain.com, still no luck.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813749
What is the error that you are getting on the outlook client? Are you getting the same error on OWA? Can you post an image?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 

Author Comment

by:HaulnSS
ID: 39813750
used Microsoft Remote Connectivity Analyzer

I get an error at Validating the certificate name

Host name mail.domain.com doesn't match any name found on the server certificate CN=domain.com, OU=Domain Control Validated
0
 

Author Comment

by:HaulnSS
ID: 39813754
No errors in owa yet....been in there for a few minutes.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813767
On your exchange, can you see that your certificate is installed properly?

exchange certificate examp
0
 

Author Comment

by:HaulnSS
ID: 39813786
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813798
Ok, remove the bottom certificate and move all the services to "GoDaddy" certificate.

Also from outlook client - what is the error you are getting now?
0
 

Author Comment

by:HaulnSS
ID: 39813817
RCARCA
Done...

Here is error in Remote Connectivity Analyzer

Will get Outlook Error
0
 

Author Comment

by:HaulnSS
ID: 39813825
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813840
Silly question, your certificate, how did you issue it?

Did you use this?

http://support.godaddy.com/help/article/6086/generating-a-certificate-signing-request-csr-exchange-server-2010
0
 

Author Comment

by:HaulnSS
ID: 39813851
Yep, that is how I did it, several times now.  I verified all client names were mail.domain.com.

This last time, I didn't select autodiscover or anything other than OWA, EAS, Web Services, Outlook Anywhere.
I have not selected Legacy Exchange at all.
0
 

Author Comment

by:HaulnSS
ID: 39813854
I did not do wildcard....FYI
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813866
On your certificate you have autodiscover.domain.com and mail.dosmain.com then?
And in your dns you have the autodiscover as well correct?
0
 

Author Comment

by:HaulnSS
ID: 39813870
I did not select autodiscover on the last one.
0
 
LVL 5

Expert Comment

by:Jullez
ID: 39813872
Are you able to reissue the certificate with autodiscover as SAN?
Also have you follow this to install on the server:
http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010

Thank you.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39813881
Your certificate is issued to a domain, and not to a server.
You need to have CN=mail, DC=domain, DC=com in the "Common Name" field.
Get back to GoDaddy to resolve the issue.

What exactly you put in step 7 of GoDaddy's guide "Common Name"?
0
 

Author Comment

by:HaulnSS
ID: 39813888
I have followed that article to install the cert....each time.

OK, I am reissuing with autodiscover.domain.com and mail.domain.com listed as domains for the certificate.

I noticed something different this time.  Step 1, after hitting complete, says that I need a Unified Communication certificate.

Is that different from a standard certificate?
0
 

Author Comment

by:HaulnSS
ID: 39813892
Step 7, I have been using mail.domain.com, everytime.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39813893
If this is how GoDaddy issues it (CN=domain.com, OU=Domain Control Validated) you might have to use the wildcard then. I would call them up and ask.
0
 

Author Comment

by:HaulnSS
ID: 39813900
OK, Thank you!  Is there a site you prefer to use?
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39813902
autodiscover.domain.com and mail.domain.com are not domains! They are host names.
I think you need a wildcard for domain.com.
Set Common Name = *.domain.com
Follow the wildcard option.
Leave the rest as before, and keep such certificates secure at all times, no nobody can steal it and use on something like SAP.DOMAIN.COM.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39813910
STARTSSL.COM offers free cert, you have to have domain control (Administrator@domain.com or root@domain.com)
0
 
LVL 5

Accepted Solution

by:
Jullez earned 500 total points
ID: 39813918
It is different from regular certificate, you need Unified Communication certificate, which will allow you to use more than one name for your server. Do not use wildcard.

You are Generating a Certificate Signing Request (CSR) - Exchange Server 2010. You are not issuing a domain certificate...
Use the link I gave you above to issue, then use the second one to install.
0
 

Author Comment

by:HaulnSS
ID: 39813925
Alright, I am done for now, I will check it out in the morning....  Appreciate all the help!
0
 

Author Closing Comment

by:HaulnSS
ID: 39814968
Great to have your assistance.  Sorry it turned out to be something stupid that I didn't relay correctly.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now