The current situation is probably the product of cumulative errors over a couple of years, but it’s reached a point where I'm pulling out what hair I have left.
An SBS 2011 Exchange installation which has been working fine for years has recently started throwing an autodiscover name mismatch certificate error when Outlook 2007 is started on a domain computer. There is a website for the domain (let’s call it xyz.co.uk) although it’s not active at the moment, but the mail server at remote.xyz.co.uk is fairly busy, and it’s that name that I'm expecting to see on the SSL certificate; instead, I'm seeing the certificate for the domain name host, with the name *.123-secure.com on it although I'm pretty sure that if things were working properly I wouldn't see anything relating to SSL certificates at all.
If it’s relevant, the mail server is using a UCC SSL certificate from GoDaddy.
I've tried adding a CNAME record to the internal DNS forward lookup zone to no avail, and an SRV record for xyz.co.uk to the external DNS via the 123-reg control panel, but the error persists. I started to add a SRV record to the internal DNS forward lookup zone as well, until I noticed that the domain field at the top of the form contained remote.xyz.co.uk and not just xyz.co.uk. I sensed that pointing the record to itself might not be helpful...
Nslookup returns the IP address of the domain name host and not the static public IP of the SBS server; it lists no aliases.
The MS Test Connectivity tool for autodiscover for both ActiveSync and Outlook passes with warnings, to the effect that the DNS SRV redirect method was the only one that worked. The other methods returned name mismatches and wrong IP addresses. This suggests that the SRV record I added is both correct and necessary.
OWA works fine, and mail is sent and received without problems.
It seems that autodiscover is finding the root domain xyz.co.uk instead of being directed to remote.xyz.co.uk, so how can I fix this?
Why is the 123-secure certificate being invoked at all?
I’ve found 123-reg support to be glacially slow and entirely unhelpful so far.
Do I have to start again from scratch, or is the situation retrievable?