Solved

Outlook Anywhere keeps requesting the wrong domain??

Posted on 2014-01-28
7
700 Views
Last Modified: 2014-01-29
Hi

Have a client setup which has been working for years. Exchange 2010 all patched up.

The domain that everything is set up as is say my-client.com

Everything is set up working great (autodiscover, all URI's, OWA, etc).

3rd Party Wildcard SSL Cert for installed.

Client decides to change the corporate identity to myclientgroup.co.uk

All Primary SMTP emails are set as myclientgroup.co.uk, and it is added as an accepted domain. MX records point to my-client.com records.

All mobile devices etc are still pointing to the old domain, because as the far as the system is concerned that is the only domain that matters.

However on a laptop with Outlook 2010, using Outlook Anywhere and proxy settings all pointing to my-client.com - when Outlook opens it complains that the cert is not matching, because it is looking for autodiscover.myclientgroup.co.uk and the SSL Cert is *.my-client.com

WHY is it asking for autodiscover of the new domain name, when everything still points to the old domain? As far as the system concerned the new domain is just an alias.
0
Comment
Question by:bikerhong
  • 4
  • 2
7 Comments
 

Author Comment

by:bikerhong
Comment Utility
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

This also shows it is set to the "old" domain!
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
in your certificate add the new domain to the SAN certificate (this way the certificate knows about the alternate naming / alias)
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
Autodiscover works in one of two ways.
Internally it will query the value of get-clientaccessserver | select identity, autodiscoverserviceinternalUri. The value there has no connection to the primary domain name on the user account.

However externally, because it cannot query the domain, it will use DNS lookups - which will be Autodiscover.example.com, where example.com is the primary email address domain.
As you have now changed the primary domain, that query now fails to work correctly, because the old SSL certificate is in place.

You have two options here, depending on what your external DNS provider supports.

If they support SRV records, then remove the wildcard from the new domain (so Autodiscover.example.com does NOT resolve) and configure an SRV record for Autodiscover to point to a host name in your old domain. http://semb.ee/srv

If they do not support SRV records, then you will have to change your wildcard SSL certificate to a UCC (Aka SAN) type certificate which will allow you to have host names on the certificate for both the old and the new domain. That way you will continue to work correctly for the devices that you cannot modify easily because they are mobile.

A wildcard certificate is NOT a UCC/SAN certificate and is not usually recommended for use with Exchange.

Simon.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:bikerhong
Comment Utility
Hi Simon

I see, thank you for explaining!

I would like to try the SRV record method.

I removed autodiscover.newdomain.com and for the SRV record I am required to input these values:

Hostname _autodiscover._tcp (example is _sip._tcp)
Type SRV
Priority 20
TTL ???
Destination SRV ??? (example is 1 5061 aaa.domain.com)

Not too sure what to put in for the TTL and destination?
0
 

Author Comment

by:bikerhong
Comment Utility
Ok, found a help article explaining the numbers!

This is what I have input:

_autodiscover._tcp SRV 20 3600 0 443 mail.olddomain.com

Is this right? Outlook is still prompting the error as it is looking for autodiscover.newdomain.com
0
 

Author Comment

by:bikerhong
Comment Utility
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer successfully contacted the Autodiscover service using the DNS SRV redirect method.
       
      Additional Details
       
Elapsed Time: 3944 ms.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.newdomain.co.uk in DNS.
       The Autodiscover SRV record was successfully retrieved from DNS.
       
      Additional Details
       
The Service Location (SRV) record lookup returned host mailhost.olddomain.co.uk.
Elapsed Time: 518 ms.
      Attempting to test potential Autodiscover URL https://mailhost.olddomain.co.uk/Autodiscover/Autodiscover.xml
       Testing of the Autodiscover URL was successful.
       
      Additional Details
       
Elapsed Time: 3425 ms.
       
      Test Steps
       
      Attempting to resolve the host name mailhost.olddomain.co.uk in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: 194.168.47.239
Elapsed Time: 389 ms.
      Testing TCP port 443 on host mailhost.olddomain.co.uk to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 353 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Additional Details
       
Elapsed Time: 691 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mailhost.olddomain.co.uk on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
       
Remote Certificate Subject: CN=*.olddomain.co.uk, OU=Domain Control Validated, O=*.olddomain.co.uk, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 596 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       
The host name that was found, mailhost.olddomain.co.uk, is a wildcard certificate match for common name *.olddomain.co.uk.
Elapsed Time: 0 ms.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.olddomain.co.uk, OU=Domain Control Validated, O=*.olddomain.co.uk.
       One or more certificate chains were constructed successfully.
       
      Additional Details
       
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 21 ms.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
       
      Additional Details
       
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 3 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       
The certificate is valid. NotBefore = 5/10/2011 3:59:15 PM, NotAfter = 5/10/2016 3:59:15 PM
Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       
Accept/Require Client Certificates isn't configured.
Elapsed Time: 622 ms.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
       
      Additional Details
       
Elapsed Time: 1367 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://mailhost.olddomain.co.uk/Autodiscover/Autodiscover.xml for user user@newdomain.co.uk.
       The Autodiscover XML response was successfully retrieved.
       
      Additional Details
       
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:us</Culture>
<User>
<DisplayName>user Higgs</DisplayName>
<EMailAddress>user@newdomain.co.uk</EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url>https://mailhost.olddomain.co.uk/Microsoft-Server-ActiveSync</Url>
<Name>https://mailhost.olddomain.co.uk/Microsoft-Server-ActiveSync</Name>
</Server>
</Settings>
</Action>
</Response>
</Autodiscover>
Elapsed Time: 1367 ms.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
It could just be that the changes are cached on the client, because the test site would appear to be working correctly.

Simon.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now