Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange 2013 - Accidentally installed Client Access role on new Mailbox server - users get certificate pop-ups

Posted on 2016-11-17
10
67 Views
Last Modified: 2016-11-17
Installing a new mailbox server but accidentally installed Client Access Role too. As soon as the installation neared completion users started getting certificate errors from the new server.

1. Don't understand how this can be. We point all our clients to a load balancer which points to our existing CAS servers so I don't understand how outlook clients can see this new one.

2. Server is offline now because of the problems its caused. How do I remove the CAS role from it? I assume I need to be online to do this properly (so it can access AD)? Will need to do out of hours I guess.
0
Comment
Question by:paulfoel
  • 5
  • 3
  • 2
10 Comments
 
LVL 7

Expert Comment

by:Andy
ID: 41891264
Hi,

I'm assuming this isn't your only mailbox server as it's offline so you would need to remove all roles then reinstall the mailbox role only.
(The uninstall unfortunately doesn't support single role removal.)
Before removing, ensure any mailboxes are moved to another mailbox server meaning you can do this in hours (although always best to work out of hours for nay major exchange work)
Also, ensure the other mailbox server(s) has/have enough storage.
0
 
LVL 1

Author Comment

by:paulfoel
ID: 41891266
Thanks Andy. Assume its advisable for the server to be back on the network for when I do the uninstall so that it clears out of AD properly?

Still don't understand why the clients saw it as a CAS server though when they'd pointed to a loadbalancer?
0
 
LVL 7

Accepted Solution

by:
Andy earned 500 total points
ID: 41891272
Yeah that would be a good idea to clean up AD.

No, unless it adds itself to the autodiscover.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 16

Expert Comment

by:Ivan
ID: 41891283
Hi,

since you have installed CAS role, then you should reconfigure or disable AutoDiscoverService on it.
From Exchange Shell type:
[PS] C:\>Get-ClientAccessServer <server name that you just installed> | fl to see autodiscoverserviceinternaluri
If it is not pointing to location where all other are pointing, then you can quickly disable it, so that users don't get certificate errors.
To do that:
Set-ClientAccessServer -Identity “<new_server_name>” -AutoDiscoverServiceInternalUri $NULL

If you want to reconfigure it, then use:
[PS] C:\>Get-clientaccessserver <server name that you just installed> | set-clientaccessserver -autodiscoverserviceinternaluri "https://servername.domain.com/autodiscover/autodiscover.xml"

PS: When you install CAS, it will store autodiscoverserviceuri into AD, and that is why all users can see it.

Regards,
Ivan.
0
 
LVL 1

Author Comment

by:paulfoel
ID: 41891323
Thanks all. Looks like even offline it caused problems because I guess it had inserted itself into AD.

So Ive not added it back onto network and uninstalled. This should fix?

Build document will be updated! Need to ensure CAS is not selected - would suggest Microsoft put a warning here that the addition of CAS server will cause a problem maybe.
0
 
LVL 7

Expert Comment

by:Andy
ID: 41891328
some people love a multi role server (especially cost wise), personally I agree it's not a great idea, extra planning is needed for that scenario.
That should be fine.
0
 
LVL 1

Author Comment

by:paulfoel
ID: 41891339
Only problem is users are still getting pop-ups relating to certificates on the new server and if I run test email configuration on my outlook its still finding the new server. Or is it just a case of waiting for propagation etc?
0
 
LVL 16

Expert Comment

by:Ivan
ID: 41891361
Hi, as I wrote:

type command bellow on any exchange server, to see autodiscoverserviceinternaluri settings on that new server
Get-ClientAccessServer <server name that you just installed> | fl

Or type directly this command to disable autodiscoverserviceuri on new server:
Set-ClientAccessServer -Identity “<new_server_name>” -AutoDiscoverServiceInternalUri $NULL
After that, you can simple turn that server on, and do what you intended to do.

Regards,
Ivan.
0
 
LVL 1

Author Comment

by:paulfoel
ID: 41891388
Did that Ivan. Also completely uninstalled exchange on that new server so its gone in console and in AD.

Still looks like some users are getting errors. propagation?
0
 
LVL 1

Author Closing Comment

by:paulfoel
ID: 41891580
Excellent advice given. Saved my bacon,.,
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question