Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2013 in a disjointed domain

Posted on 2014-02-10
Medium Priority
Last Modified: 2014-02-15
Hi All,

I have a client with  new installation of exchange 2013. Mail flow is working but there are some issues with outlook connecting, current users have a password prompt that wont accept their credentials and autodiscover for new users resolves their names but then also promts for passwords and never accepts them.

What I know and have read about this seems to stem from the fact that the client has a disjoined domain. here is what they have, they are Johannesburg (JHB)

domain name = domain.local
DNS = domain.local and domain.co.za
NetBIOS = domainJHB

Their external mail address is mail.domain.co.za

I have set the outlook anywhere to user NTLM, outlook has been updated to the supported service packs for exchange 2013 ie outlook 2010 with SP2.

I have tried some things in dns, such as remove the autodiscover.domain.local and created a SRV record to point to autodiscover.doamin.co.za. Thus far the only way I have managed to get outlook online is to do a manual setup and make sure outlook anywhere is set up.

any advise would be appreciated.
Question by:Thiaan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39847001
Having a domain in the way that you have described is not a problem, as long as you have a split dns system and configure Exchange correctly to use the external name internally.
That is easily done, my Exchange 2010 instructions apply to Exchange 2013 as well.


Autodiscover DNS records are not used internally, unless the clients are not members of the domain. The clients query the domain for the value that you can see here:

get-clientaccessserver | select indentity, autodiscoverserviceinternaluri

The host name needs to resolve to the Exchange server and be listed on the SSL certificate.

I suspect that is the core of your problem. That will be the reason Autodiscover doesn't work and the authentication prompts.


Author Comment

ID: 39847197
Hi Simon,

Thanks for the reply.

I have changed the URLs as you suggested so both internal and external are now mail.domain.co.za/[respective virtual directory] but there is no change. If I specify the MSSTD then the client connects but not if I try use plan autodiscover during the outlook setup. I also get a certificate error that states:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name on the target site mail.domain.co.za.
Outlook is unable to connect to proxy server. (Error code 0)

I have never seen an error code 0, 8 and 10 I have seen and that usually is an issue with the certificate.  The certificate issued on the server looks like so:

subject: CN=servername.domain.local

It is a web server cert and is valid on the machine. I am no expert when it comes to certificates but as far as I understand between the subject name and the sans the names should match one of them when outlook tries to connect?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39847332
That cannot be a trusted certificate.
You cannot get trusted certificates with the local names on them unless it expires before November 2015. Are you using a trusted certificate?

Autodiscover is different to the name sued for Outlook Anywhere, so you have different issues, although most likely the same cause - trust on the certificate.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39847413
Its an internal CA which has been there for heaven knows how long. It is not linked in any public CAs
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39847433
I will drop off the question then. I don't do anything with internal CAs. For public facing services like this they are more hassle than they are worth and I will not have anything to do with them.


Accepted Solution

Thiaan earned 0 total points
ID: 39848476
Thanks for all your help Simon.

I managed to figure it out, it was indeed the certificate causing the issue but not because the certificate was wrong. I eventually discovered that the outlookproviders where set to look at mail.domain.co.za. Hence why I got the error mentioned above, as the cert name is servername.domain.local. If you run get-outlookprovider in the exchange powershell on a working exchange you get something like this

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
exch                                                                                      1
expr                                                                                      1
web                                                                                       1

however on my problematic exchange the certPrincipalNames were all set to mail.domain.co.za.

to reset them you need to enter set-oulookprovider EXCH -CertPrincipalName $Null.

thanks for your time though. its greatly appreciated.
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39849506
What about owa? is working fine? If yes then try to reset once account password and figure it out what is status. And also check your credentials setting and sll certificate.

Author Closing Comment

ID: 39861161
I managed to figure this out in my own clean lab environment with a green fields deployment

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question