Cannot make migration endpoint connection

I am working on setting up a migration from exchange 2010 to Office 365 Exchange online.
I am trying to create a migration endpoint.  I have setup outlook anywhere on my in house server.  
I have a SSL cert that I have installed and assigned to IIS.
I can go to OWA externally and I do not get any cert errors.
I can setup outlook externally and access mailbox with no errors.
I have tried running the testexchangeconnectivity and it will go through all the steps except it has wrong name in cert due to the fact that you cannot set any servers manually in that test.
Not sure what I am missing?  When I try and create a migration endpoint and manually put in the exchange and rpc server it says cannot connect to server make sure that the endpoint settings are correct and that the certificate is valid. As far as I can tell that is all correct.  I am also using basic authentication and full access settings under advanced.
Any ideas would be greatly appreciated!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
The test will use Autodiscover to determine the EndPoint, so does the Autodiscover test work happily?

Does the certificate include auto and have you setup an A record called autodiscover that points to the IP Address of your Exchange 2010 server?

What do you mean the test on the test site works apart from the cert having the wrong name?  Does it find your Exchange server or another server?

Is the certificate from a trusted 3rd party SSL certificate provider?  If it isn't - it won't work.

DaveKall42Author Commented:
Yes, I do have autodiscover.<domain> setup as an A record.  I don't have that in my cert though. When I do the test on the test site it is looking for the above name, not the actual fqdn of my mail server.  I cannot set in the test the actual fqdn of the server.  As I said I can do OWA and outlook anywhere with outlook with no cert issues. As far as I can tell it is from a trusted 3rd party ssl provider.  Again, I am not getting any errors from OWA or outlook. I am also not using autodiscover when creating my migration endpoint.  I am putting in the fqdn and rpc fqdn servers.
Alan HardistyCo-OwnerCommented:
Okay - if you added the A record you need autodiscover included in your SSL certificate.

So - you either need to re-key your SSL certificate to include autodiscover (if you have a SAN cert), or the easier way is to delete the Autodiscover A record and setup an SRV record pointing to the FQDN that is included in your SSL certificate and then Autodiscover will use the SRV record to locate and configure the Endpoint happily.

Guide for how to configure the SRV record (ignore the Exchange version):

Of course - if your Domain host doesn't support SRV records (some do / some don't), then you can't use that option, so you will need a SAN certificate (multiple names included) that includes and then things will fall into place.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Alan HardistyCo-OwnerCommented:
Another option (that I haven't tested) is to configure an Autodiscover CNAME record and point that to the FQDN included in your SSL certificate.

Just make sure you only have one method for Autodicover, not multiple.  Either an A record, a CNAME record or an SRV record.
DaveKall42Author Commented:
I have an A record for the fqdn and one for autodiscover.  I guess where I am confused is that when creating my migration endpoint I am going past the autodiscover and putting in the servers fqdn manually so it shouldn't matter what is there for autodiscover correct?
Alan HardistyCo-OwnerCommented:
For confirmation, run the Outlook Anywhere test on the test site using Autodiscover and if that passes, then the Endpoint creation should be trouble-free, or is that the test you ran?
Vasil Michev (MVP)Commented:
You do not need autodiscover to work externally, just make sure that the Outlook anywhere endpoint matches the server name on that certificate. As Alan suggested, making sure that the Outlook Anywhere test from ExRCA passes is what you need.

Alternatively, you can just get a free cert from sites like StartSSL/Comodo for the endpoint you are missing.
DaveKall42Author Commented:
Ok, I was able to get it to work with the SRV record.  Now when I try and set up the batch, the option for cutover is greyed out?  Any idea as to why that would be?
Can I still do the migration in a hybrid method?
Alan HardistyCo-OwnerCommented:
Have you tried to setup directory sync prior to the migration?
DaveKall42Author Commented:
This is not the azure directory sync tool correct?
Alan HardistyCo-OwnerCommented:
Think so. I tried to setup directory sync and lost the cutover option but once that had been stopped, it came back.
DaveKall42Author Commented:
Well I tried to setup the dirsync before doing all this but never made it through the whole process. I have since removed the dirsync software from the server so nothing should be syncing.  Is there a setting in Exchange online that needs to be changed?
Alan HardistyCo-OwnerCommented:
Thought so.  You just need to stop the dirsync before the cutover will become available.

Once it has stopped, you should be able to start the cutover.
DaveKall42Author Commented:
Actually I found that.  Its working now.  Thanks for all your help!
One question.  You can go to dirsync after the migration is over?  i.e.: SSO type setup
Alan HardistyCo-OwnerCommented:
Yes - absolutely, but it's sensible to have two domain controllers available your side because if you only have one and it is down, you won't be able to login to 365 at all!
Alan HardistyCo-OwnerCommented:
Oh - and you're welcome :)

DaveKall42Author Commented:
We have 2 actually so that will be fine.  :)   So basically just run the dirsync utility after the migration and will it correspond then to the mailboxes that have been moved over automatically?
Alan HardistyCo-OwnerCommented:
Basically - yes.  If you can get it configured (it's not a walk in the park)!  I'm doing exactly that tomorrow post 365 migration!

It will sync the AD accounts on premise with the Office 365 accounts and that will keep the passwords in sync.
DaveKall42Author Commented:
Yes, I tried running it previously and it was not fun at all. Erred out at almost every step for one reason or another.  :/
Alan HardistyCo-OwnerCommented:
Glad it isn't just me then!
DaveKall42Author Commented:
Hi Alan,
Just curious how the dirsync went?

Alan HardistyCo-OwnerCommented:
It didn't! Ended up firefighting other issues unfortunately. May tackle it again but not sure if / when. Sorry.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.