Our Active Directory domain was set up years ago with the same domain name as our public website (let's call it oldname.org).  I understand now that that is not best practice, but that is what I inherited.  Our Exchange server is simply named Exch2013, so it's name in our domain is Exch2013.oldname.org.  However, when it was set up all the URLs were set up as exchange.oldname.org.  We have an internal DNS entry by that name that points to the internal IP of the server as well as an external DNS entry by that name that points to an allotted IP for the server (for OWA and HTTPS access for Outlook clients outside the office).  I did not configure this Exchange server (and the people who did are no longer at my disposal), so I'm not familiar with a lot of the actual terms and what they refer to (CAS, SCP, etc).

Our organization is changing its name, so I was tasked with changing our email addresses from @oldname.org addresses to @newname.org email addresses.  I added another internal relay (weird I know, but have always used an internal relay setup, as Google Apps actually holds our MX records because we have a large organization but only want to use Exchange for our little office) just like the @oldname.org internal relay is setup.  I made sure the Send Connectors were good.  When it was time for the cut-over, I simply changed everyone's default Reply Address using our Email Address Policy.  This worked great.  Everyone is able to both send and receive as @newname.org.  But there is a problem.

When someone goes outside of our office (off our LAN) and connects using Outlook (I think this is Outlook Anywhere?), they get a message saying "Allow this website to configure emailaddress@newname.org server settings?"  It then lists the website as "http://www.oldname.org/autodiscover/autodiscover.xml" and says, "Your account was redirected to this website for settings."  For further information, this message only appears for people who have created a new Outlook profile that auto-discovered their new @newname.org email address.  If they open up their old profile that was setup (autodiscovered) when the email addresses were all @oldname.org, they don't get the redirect message.

I have not changed any settings on the Outlook Anywhere addresses or the Virtual Directories.

I've found plenty of stuff on Google on how to ignore that message using a registry edit, but what I want is to configure things properly so that the message does not appear.  This technet article talks about the lack of need for autodiscover virtual directories, but if I'm honest, I didn't understand that very well.  What do I need to be looking at?  Is there a proper way to do this?

I think your issue is that while the client is successfully connecting to Exchange, Exchange is still configured to direct the client to the old autodiscover URL using the old domain (eg the one that was correct when it was setup). Since that URL still works it will connect rather than rolling over to the next autodiscover method. If the returned URL is part of the same domain as the email address being discovered then it will add it automatically without prompting, but if it's a different domain then you'll get the warning (note, if users simply check the option to always allow it then it will only appear once and they won't see it again).

I'm not certain but I think you'll want to look at Set-ClientAccessServer (https://technet.microsoft.com/en-us/library/bb125157%28v=exchg.150%29.aspx) to update that URL to use the new domain version of your server address. You can use Get-ClientAccessServer (https://technet.microsoft.com/en-us/library/bb124785(v=exchg.150).aspx) to check where it's pointing currently and see if it is indeed going to the old domain. You can also find more information on how autodiscover works here https://technet.microsoft.com/en-us/library/bb124251%28v=exchg.150%29.aspx

Hi,

I would like to add few to keiths info. And yes, once you go off the LAN and if you are not over VPN, then it is Outlook Anywhere.

I would first like to know as what is your current Primary SMTP Address is? If it is newdomain.org, then Outlook is using the SRV Record to connect your exchange Server.

Say your email address is abc @ newdomain.org, then the Outlook will look for your exchange Server by the following method: >> SRV Record for _autodiscover._tcp.newdomain.com and this would be pointing to your olddomain.org in the Public DNS.

And hence there is a change in the Domain name where the Outlook is looking for due to which your outlook is giving you a warning. This is by design if you have SRV Record to accomplish for Autodiscover.

You can follow the below steps to verify if you have SRV Method for your new domain:

open Cmd from an external machine. Run the following
nslookup

set type=srv

_autodiscover._tcp.newdomain.org

In the above replace the newdomain.org to your actual new domain name and see if it has any etries.

If so, you would get the prompt. To avoid it, you would need to change the Outlook Anywhere URL and as well as get a new certificate with a NEW URL for Exchange CAS Server which Satisfies the URL.

Do let me know your findings and we will figure it out.

Karthick.

Karthick,

Thanks for your response.

Regarding your question, "What is your current Primary SMTP Address?" I am not sure whether you are referring to the Reply As email address or the 'default domain' as set in the Mail Flow > Accepted Domains section of the ECP (how I tend to interact with Exchange).  I can say that most of the accounts are set with their Reply As email address as @newdomain.org.  Also, I changed the 'default domain' to newdomain.org when I made the switch.

Honestly, I'm extremely confused on the SRV Record thing.  I never manually set an SRV record, either internally or externally, so anything that is or is not set must have been automatically created.  All I set in DNS was the A Record to point to the exchange.olddomain.org for access to OWA and Outlook Anywhere.  But I don't think that's what you're referring to.

I ran the srv nslookup for _autodiscover._tcp.OLDdomain.org and got:

Server: regional.isp.dnsserver.com
Address: xxx.xxx.xxx.xxx

OLDdomain.org
   primary name server = dns1.name-services.com
   responsible mail addr = info.name-services.com
   serial = ##########
   refresh = 10800 (3 hours)
   retry = 3600 (1 hour)
   expire = 604800 (7 days)
   default TTL = 3600 (1 hour)

When I did it for the new domain (_autodiscover._tcp.NEWdomain.org), I got the same EXACT values, including the line that says OLDdomain.org.

You say that we might need to change the Outlook Anywhere URL "as well."  Does that mean along with Set-ClientAccessServer that Keith suggested above?  Would I only change the external hostname for Outlook Anywhere and leave the internal one the same, or would I change both?

Keith,

Thanks for your quick reply.  When I run Get-ClientAccessServer, it returns EXCH2013, which is the name of the server itself.  Even if it is tagging on the .olddomain.org to make it an FQDN, exch2013.olddomain.org is not an address that I have in external DNS anywhere, so that can't be the address that the external Outlook users are using to connect to Exchange, can it?

Mike

Hi Mike,

In a nutshell, you would need to do the following changes to remove the warning message:
1. Run the command:

$servername = hostname

$a = FQDN or the URL of the Server {you can give the URL as : webmail.newdomain.org} 

get-outlookanywhere -server <> | set-outlookanywhere -internalhostname $a -externalhostname $a -internalclientauthenticationmethod NTLM -Externalclientauthenticationmethod NTLM -iisauthetnicationmethods NTLM, BASIC, Negotiate

The above set of commands has to be run on all the Servers

Now that you have mentioned the changes on the Server side. In Public DNS you would need the following A Record pointing to your CAS Server:

webmail.newdomain.org

Autodiscover.newdomain.org

Once this is set, you would need a Valid Certificate with the following entries in it:

webmail.newdomain.org

Autodiscover.newdomain.org

Make sure you remove any SRV Records in your Public DNS which tells about Autodiscover. Once this is done you should make sure that you have only A Records for Autodiscover.

After this is set you, restart the IIS manager service on the Server and then attempt to setup an account and it should/will not show the warning anymore.

----------------------------------

Good to know:
With the above steps what we are actually doing is telling the Outlook to follow the first method of Autodiscover which is DNS method.

Hi Mike,

In a nutshell, you would need to do the following changes to remove the warning message:
1. Run the command:

$servername = hostname

$a = FQDN or the URL of the Server {you can give the URL as : webmail.newdomain.org} 

get-outlookanywhere -server <> | set-outlookanywhere -internalhostname $a -externalhostname $a -internalclientauthenticationmethod NTLM -Externalclientauthenticationmethod NTLM -iisauthetnicationmethods NTLM, BASIC, Negotiate

The above set of commands has to be run on all the Servers

Now that you have mentioned the changes on the Server side. In Public DNS you would need the following A Record pointing to your CAS Server:

webmail.newdomain.org

Autodiscover.newdomain.org

Once this is set, you would need a Valid Certificate with the following entries in it:

webmail.newdomain.org

Autodiscover.newdomain.org

Make sure you remove any SRV Records in your Public DNS which tells about Autodiscover. Once this is done you should make sure that you have only A Records for Autodiscover.

After this is set you, restart the IIS manager service on the Server and then attempt to setup an account and it should/will not show the warning anymore.

----------------------------------

Good to know:
With the above steps what we are actually doing is telling the Outlook to follow the first method of Autodiscover which is DNS method.

• Marked as answer by Niko.ChengMicrosoft contingent staff, Moderator Wednesday, July 15, 2015 1:43 AM

Hi Mike,

Any update on this.

Karthick,

My apologies for the delay.  I wear a lot of hats here, and the other stuff had me bogged down.

I was talking to a consultant on the side to ask his advice, and he had me do the following:

• Add DNS entry for autodiscover.newdomain.org
• Add the wildcard cert for *.newdomain.org to the Exchange server
• Check the SMTP service on the new *.newdomain.org cert
• Run this command in PowerShell: Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web Site)' -WindowsAuthentication $true

This does not appear to have change anything except that now I get a security certificate mismatch warning when opening Outlook from a remote computer.

Regarding your suggestion, I just am not sure which parts to substitute with my own information.  At least on the line ($a = FQDN or the URL of the Server {you can give the URL as : webmail.newdomain.org}) you specify what to substitute.  Could you help me out a little with that?

At one point I tried checking the IIS service box for the *.newdomain.org just to see if that would fix anything, but immediately internal clients were met with warnings, so I switched that back.

Any further assistance would be greatly appreciated, as my "consultant" was not as helpful as I would have thought.

Mike

<o:p></o:p>