?
Solved

Outlook Anywhere keeps requesting the wrong domain??

Posted on 2014-01-28
7
Medium Priority
?
973 Views
Last Modified: 2014-01-29
Hi

Have a client setup which has been working for years. Exchange 2010 all patched up.

The domain that everything is set up as is say my-client.com

Everything is set up working great (autodiscover, all URI's, OWA, etc).

3rd Party Wildcard SSL Cert for installed.

Client decides to change the corporate identity to myclientgroup.co.uk

All Primary SMTP emails are set as myclientgroup.co.uk, and it is added as an accepted domain. MX records point to my-client.com records.

All mobile devices etc are still pointing to the old domain, because as the far as the system is concerned that is the only domain that matters.

However on a laptop with Outlook 2010, using Outlook Anywhere and proxy settings all pointing to my-client.com - when Outlook opens it complains that the cert is not matching, because it is looking for autodiscover.myclientgroup.co.uk and the SSL Cert is *.my-client.com

WHY is it asking for autodiscover of the new domain name, when everything still points to the old domain? As far as the system concerned the new domain is just an alias.
0
Comment
Question by:bikerhong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 

Author Comment

by:bikerhong
ID: 39815026
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

This also shows it is set to the "old" domain!
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39816815
in your certificate add the new domain to the SAN certificate (this way the certificate knows about the alternate naming / alias)
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39817066
Autodiscover works in one of two ways.
Internally it will query the value of get-clientaccessserver | select identity, autodiscoverserviceinternalUri. The value there has no connection to the primary domain name on the user account.

However externally, because it cannot query the domain, it will use DNS lookups - which will be Autodiscover.example.com, where example.com is the primary email address domain.
As you have now changed the primary domain, that query now fails to work correctly, because the old SSL certificate is in place.

You have two options here, depending on what your external DNS provider supports.

If they support SRV records, then remove the wildcard from the new domain (so Autodiscover.example.com does NOT resolve) and configure an SRV record for Autodiscover to point to a host name in your old domain. http://semb.ee/srv

If they do not support SRV records, then you will have to change your wildcard SSL certificate to a UCC (Aka SAN) type certificate which will allow you to have host names on the certificate for both the old and the new domain. That way you will continue to work correctly for the devices that you cannot modify easily because they are mobile.

A wildcard certificate is NOT a UCC/SAN certificate and is not usually recommended for use with Exchange.

Simon.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:bikerhong
ID: 39817218
Hi Simon

I see, thank you for explaining!

I would like to try the SRV record method.

I removed autodiscover.newdomain.com and for the SRV record I am required to input these values:

Hostname _autodiscover._tcp (example is _sip._tcp)
Type SRV
Priority 20
TTL ???
Destination SRV ??? (example is 1 5061 aaa.domain.com)

Not too sure what to put in for the TTL and destination?
0
 

Author Comment

by:bikerhong
ID: 39817229
Ok, found a help article explaining the numbers!

This is what I have input:

_autodiscover._tcp SRV 20 3600 0 443 mail.olddomain.com

Is this right? Outlook is still prompting the error as it is looking for autodiscover.newdomain.com
0
 

Author Comment

by:bikerhong
ID: 39817237
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer successfully contacted the Autodiscover service using the DNS SRV redirect method.
       
      Additional Details
       
Elapsed Time: 3944 ms.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.newdomain.co.uk in DNS.
       The Autodiscover SRV record was successfully retrieved from DNS.
       
      Additional Details
       
The Service Location (SRV) record lookup returned host mailhost.olddomain.co.uk.
Elapsed Time: 518 ms.
      Attempting to test potential Autodiscover URL https://mailhost.olddomain.co.uk/Autodiscover/Autodiscover.xml
       Testing of the Autodiscover URL was successful.
       
      Additional Details
       
Elapsed Time: 3425 ms.
       
      Test Steps
       
      Attempting to resolve the host name mailhost.olddomain.co.uk in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: 194.168.47.239
Elapsed Time: 389 ms.
      Testing TCP port 443 on host mailhost.olddomain.co.uk to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 353 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Additional Details
       
Elapsed Time: 691 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mailhost.olddomain.co.uk on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
       
Remote Certificate Subject: CN=*.olddomain.co.uk, OU=Domain Control Validated, O=*.olddomain.co.uk, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 596 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       
The host name that was found, mailhost.olddomain.co.uk, is a wildcard certificate match for common name *.olddomain.co.uk.
Elapsed Time: 0 ms.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.olddomain.co.uk, OU=Domain Control Validated, O=*.olddomain.co.uk.
       One or more certificate chains were constructed successfully.
       
      Additional Details
       
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 21 ms.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
       
      Additional Details
       
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 3 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       
The certificate is valid. NotBefore = 5/10/2011 3:59:15 PM, NotAfter = 5/10/2016 3:59:15 PM
Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       
Accept/Require Client Certificates isn't configured.
Elapsed Time: 622 ms.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
       
      Additional Details
       
Elapsed Time: 1367 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://mailhost.olddomain.co.uk/Autodiscover/Autodiscover.xml for user user@newdomain.co.uk.
       The Autodiscover XML response was successfully retrieved.
       
      Additional Details
       
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:us</Culture>
<User>
<DisplayName>user Higgs</DisplayName>
<EMailAddress>user@newdomain.co.uk</EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url>https://mailhost.olddomain.co.uk/Microsoft-Server-ActiveSync</Url>
<Name>https://mailhost.olddomain.co.uk/Microsoft-Server-ActiveSync</Name>
</Server>
</Settings>
</Action>
</Response>
</Autodiscover>
Elapsed Time: 1367 ms.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39817600
It could just be that the changes are cached on the client, because the test site would appear to be working correctly.

Simon.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In-place Upgrading Dirsync to Azure AD Connect
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
Suggested Courses
Course of the Month9 days, 3 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question