CHI-LTD
asked on
Teams client getting certificate warning while i deploy new hybrid exchange server 2016
Hi
I am midway through installing a new exchange 2016 server (its currently about halfway) and one of my users had a certificate prompt come up in Microsoft Teams. The cert was referencing the new server name and the certificate was autodiscover.domain.com
I have pre-populated some of the settings in DNS for the hybrid box, namely the autodiscover record and an A record for the mail.domain.com dns record
Ideas?
Should the certificate be installed by GPO? I recall the exchange server 2010 certs maybe in GPO..
I am midway through installing a new exchange 2016 server (its currently about halfway) and one of my users had a certificate prompt come up in Microsoft Teams. The cert was referencing the new server name and the certificate was autodiscover.domain.com
I have pre-populated some of the settings in DNS for the hybrid box, namely the autodiscover record and an A record for the mail.domain.com dns record
Ideas?
Should the certificate be installed by GPO? I recall the exchange server 2010 certs maybe in GPO..
Unless your users are using Office 365 for email, try turning OFF autodiscover for O365. This can be done in the registry but it has to be done on all workstations. Of course it can be deployed by group policy if you have a large organization. The regedit is:
- Find (or create if it doesn't exist) the following regkey: HKEY_Current_User\Software\Microsoft\Office\16.0\Outlook\Autodiscover.
- Add the following entry: REG_DWORD, ExcludeExplicitO365Endpoint, Value =1
ASKER
Yes all mailboxes are using exchange online.
Then you're running in a hybrid configuration?
When the user accepted the certificate, did he get an error or did it just close the dialog box?
ASKER
Not in a true sense of mailboxes on prem and online, no, but its still hybrid config on the 2010 setup/side and its used to migrate mailboxes and continue with SMTP traffic etc.
ASKER
Closed the cert prompt.
If you install an on-premises Exchange server, it automatically adds its availability to AD.
To prevent this from being a problem, I recommend you install new Exchange servers into a "micro-site". An AD site that only contains a few addresses to hold the Exchange servers. Then, when installation and configuration is complete, change the IP address of the Exchange server to be in the primary/default/destination AD site.
To prevent this from being a problem, I recommend you install new Exchange servers into a "micro-site". An AD site that only contains a few addresses to hold the Exchange servers. Then, when installation and configuration is complete, change the IP address of the Exchange server to be in the primary/default/destination AD site.
It's difficult to answer without knowing your current configuration. For example, do you have centralized routing enabled? ie. does autodiscover.yourdomain.com point to your on-prem server or exchange online.
This site has some troubleshooting steps: https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/known-issues/teams-exchange-interaction-issue
This site has some troubleshooting steps: https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/known-issues/teams-exchange-interaction-issue
ASKER
We already have 2010 exchange on prem acting as hybrid. Why would a new 2016 server affect everyone?
Not sure i follow you re micro site..
Not sure i follow you re micro site..
ASKER
nslookup for autodiscover.domain.local shows old exchange. autodiscover.domain.com resolves to all 3 servers
So you need the certificate for autodiscover.domain.com on all three servers. Either that or just point autodiscover to the servers that have certificates configured.
If any client connects to a server that doesn't have a certificate installed, it will get a certificate error.
If any client connects to a server that doesn't have a certificate installed, it will get a certificate error.
ASKER
ok i did wonder.
i've found this: https://www.alitajran.com/certificate-warning-during-or-after-a-new-exchange-server-installation/ which may negate the certificate?
i've found this: https://www.alitajran.com/certificate-warning-during-or-after-a-new-exchange-server-installation/ which may negate the certificate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've installed the cert but cannot see it in the EAC.. Very strange.
Also us admins are not getting this warning, just users..
Also us admins are not getting this warning, just users..
There's a load of stuff you need to do first such as configuring the virtual directories on the new server.
Look at this page: https://msexperttalk.com/exchange-2010-to-exchange-2016-migration-part-3/
Follow the instructions for exporting/importing the certificate and configuring the virtual directories to match the names on the certificate.
Look at this page: https://msexperttalk.com/exchange-2010-to-exchange-2016-migration-part-3/
Follow the instructions for exporting/importing the certificate and configuring the virtual directories to match the names on the certificate.
ASKER
Great link. prompts now gone by the looks of it.
should the 'Configure virtual directories in Exchange 2016 Server' and below be done?
should the 'Configure virtual directories in Exchange 2016 Server' and below be done?
Yes.
ASKER
Migrate the administrator mailbox.
Migrate the arbitration mailboxes. See here: https://www.alitajran.com/move-arbitration-mailboxes-in-exchange-server/
Can you access the admin mailbox if you go to: https://mail.domain.com/owa/ and sign in as the administrator?
Migrate the arbitration mailboxes. See here: https://www.alitajran.com/move-arbitration-mailboxes-in-exchange-server/
Can you access the admin mailbox if you go to: https://mail.domain.com/owa/ and sign in as the administrator?