Exchange 2010 DAG with Outlook client cert warnings

Posted on 2014-08-20
Last Modified: 2015-01-07
I am creating an Exchange 2010 DAG.

At this point, I have just added the 2nd Exchange 2010 server into the organization with MB, HT, CAS roles. - existing Exchange 2010 MB, HT, CAS - newly added MB, HT, CAS
(note: internal domain is the same valid public domain as the public domain name - "" is just for the purposes of this post)

I have NOT created the DAG, or moved any active mailbox databases to the new server.  The new server has a mailbox database (created during install).  There is also a Receive connector between the 2 with Exchange Server authentication and permissions.

Outlook Clients are getting certificate warnings about the server name for EXDAG (the new server) when they open Outlook.

I assume this is related to Autodiscover, but I can't see how or why a client would even know EXDAG exists because it is not any of the key names.

I also assume I can export the cert from EX10 and import it to EXDAG, but the cert does *not* have a SAN for EXDAG.

Do I need to rekey the cert to include the internal FQDN of EXDAG?

Current SAN's: -- internal computer fqdn -- for autodiscover -- external URL for owa, etc.
Question by:snowdog_2112
    LVL 24

    Expert Comment

    -->Do I need to rekey the cert to include the internal FQDN of EXDAG?
    No. In future you wont be able to add internal FQDN  in your certificate.
    BTW you dont need You need only and
    Please check my article. This will help you to configure your exchnage URLs and clear the error

    You should configure the same URL on both servers if you have a plan for DAG

    Author Comment

    Thanks - I'll check that out.

    Part of my question is why the Outlook clients would touch EXDAG in the first place (the new server with no mailboxes or active connectors).

    If Autodiscover uses:

    Where in the process would the client even determine there is a new server in the organization.  At this point the 2 Exchange servers are "standalone" servers in the same organization - there is no cluster or DAG defined.

    This would be like an Outlook client in the NewYork office connecting to "" throwing a cert warning for "" because there is an Exchange MB, HT, CAS server in London.
    LVL 19

    Accepted Solution

    by: - existing Exchange 2010 MB, HT, CAS - newly added MB, HT, CAS

    Because the way internal clients will look up Autodiscover. For internal, domain joined clients who have access to Active Directory they will query the servers ServiceBindingInformation attribute within the AutoDiscover service. This is also known as the "Service Connection Point" or "SCP" for AutoDiscover. You can view this attribute by running the following:

    Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri

    Open in new window

    Since you have two servers, and what sounds like split DNS (where the Internal FQDN and the External FQDN for the domain are the same) I would assume you are using some type of load balancer (two CAS = load balancing required for any HA). In that situation I would run the following command and within the AD DNS Forward Lookup Zone add an A record for "" that points to the Virtual IP of the CAS load balancer.
    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverInternalUri

    Open in new window

    So when a client that is internal, and domain joined looks up the autodiscover SCP (when starting Outlook) it will point to, which will then point to the VIP of the load balancer and then become a load balanced service :)

    Furthermore, MAS article is absolutely correct. You should be setting your internalURL and externalURL for the Client access services to the same name (that is resolvable within DNS both internally and externally) for OWA, Exchange ActiveSync, ECP, EWS, Offline Address Book, Outlook Anywhere, ect. These DNS A records INTERNALLY should point to the Virtual IP of your load balancer.

    Moving past that to the certificate, you can export the existing SSL SAN from the first Exchange 2010 server and import that into the new Exchange 2010 server, then assign it. If you need help with this, let me know and I can walk you through it.

    Author Comment

    Awesome answer - thanks!

    (I haven't been able to address this - tied up on other projects).

    I'll check it out and report back.

    Author Closing Comment

    sorry for the delay - better late than never for the points!

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now