Configure legacy on-premises public folders for a hybrid deployment - certificate error

We have Exchange 2010 SP3 UR6 and Office 365 in a Hybrid deployment.  We have 2 CAS servers and 3 Mailbox servers all Server 2008 R2.
Lets call them CAS1, CAS2, DATA1, DATA2, DATA3
DATA2 and DATA3 contain public folder databases that are replicated with each other. CAS1 and CAS2 are also Hub Transport servers.

We want to configure the legacy on-prem public folders so that all users (on-prem and Office 365) can view, change, and create on-prem public folders.

I started going through the steps in this article...
http://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx 

I didn't get very far b/c after installing the CAS server role on DATA3 (the 1st step in the instructions) I noticed our Outlook clients started receiving Security Alert pop-ups about certificate errors from DATA3.ourdomain.com ("The security certificate was issued by a company you have not chosen to trust.... Do you want to proceed?") and all Outlook clients became disconnected.

This was occurring on all client machines.

I ran "Test E-mail AutoConfiguration" in my Outlook client and see the following "attempting URL https://DATA3.ourdomain.com/Autodiscover/Autodiscover.xml"

...when it should have been resolving to "https://mail.ourdomain.com/Autodiscover/Autodiscover.xml" instead (which is how it is now after uninstalling the CAS server role from DATA3 to fix the issue).

After the fact, now that everything is back to normal I get the following after running the commands...

[PS] C:\Windows\system32>Get-ClientAccessServer | fl identity, autodiscoverserviceinternaluri

Identity                       : CAS1
AutoDiscoverServiceInternalUri : https://mail.ourdomain.com/Autodiscover/Autodiscover.xml
Identity                       : CAS2
AutoDiscoverServiceInternalUri : https://mail.ourdomain.com/Autodiscover/Autodiscover.xml

Also when I run...
[PS] C:\Windows\system32>Get-ClientAccessArray | fl

... some results omitted...
Fqdn              : cas-array1.domainname.com
Members           : {CAS1, CAS2}
Name              : cas-array1
Identity          : cas-array1
... some results omitted...

QUESTIONS:
1) I did not add the DATA3 server to the network load balancer for the CAS array so why is Outlook even hitting DATA3 as a CAS server.  It should be directed to the VIP of the load balancer which then directs it to ONLY CAS1 or CAS2?  Or am I misunderstanding something here?

2) When I go to try this again, do I simply need to change the "AutoDiscoverServiceInternalUri" for DATA3 to match the others of "https://mail.ourdomain.com/Autodiscover/Autodiscover.xml"

3) Do I need to update my certificate to include the SAN of "DNS Name=DATA3.ourdomain.com" so that the Outlook client won't freak out.  We have the following now (which include the CAS servers)...
"DNS Name=mail.ourdomain.com"
"DNS Name=autodiscover.ourdomain.com"
"DNS Name=cas-array1.ourdomain.com"
"DNS Name=cas1.ourdomain.com"
"DNS Name=cas2.ourdomain.com"

Thanks!
K_ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
When you run the "Test E-mail AutoConfiguration", which method was it trying? You can play around with the registry settings to force Outlook to look at the right place: http://support.microsoft.com/kb/2212902
The article however mentions that the CAS server doesnt need to be part of array...

You can suppress the waring in Outlook: http://support.microsoft.com/kb/2783881
For 2010 based hybrid, you do need all the domains added to the SAN, you might want to consider 2013 based hybrid instead: http://technet.microsoft.com/en-us/magazine/dn249970.aspx
0
K_ITAuthor Commented:
This is now fixed.  

I did the following...

I got the certificate warnings to stop by updating our Exchange UC certificate to include the names of the servers that were added as Client Access Server roles to the SAN names on the cert.  I also changed the following in Exchange for the CAS servers that were added…

Set-ClientAccessServer -Identity ESERVER01 –AutoDiscoverServiceInternalUri https://mail.ourdomain.com/Autodiscover/Autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “ESERVER01\EWS (Default Web Site)” -InternalUrl https://mail.ourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$true

Set-WebServicesVirtualDirectory -Identity “ESERVER01\EWS (Default Web Site)” -ExternalUrl https://mail.ourdomain.com/EWS/Exchange.asmx 

The public folders then showed for Office 365 users about 10 hours after completing the last step in the following article…
http://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx 

I hope this information helps others in the future.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
K_ITAuthor Commented:
Vasil gets all the points b/c it is the only response to my question.  Thank you Vasil.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.