Hello,
I recentely inherited an Exchange environment (2003 and 2010 co-exist). One of my first task was to create a CASArray so that internal MAPI (Outlook 2010 clients) can use that as an access point rather then creating an RPC connection directly to a CAS server.
We have a split-DNS in place and there were already two CNAME(alias) records in place for autodiscover.domain.com and webmail.domain.com. Both of these alias/CNAME pointed to a CAS server (casserver1.domain.local).
I created the CASArray (outlook.domain.com), updated the following internal URLs to match the external URLs:
Set-ClientAccessServer -Identity <> -AutodiscoverInternalUri "webmail.domain.com/autodiscover/autodiscover.xml"
Set-WebServicesVirtualDirectory -Identity <> -InternalUrl "webmail.domain.com/ews/exchange.asmx"
Set-OABVirtualDirectory -Identity <> -InternalUrl "webmail.domain.com/oab"
Made sure my certificates were in order. I removed any odd/old certificates then assigned all the services to a 3rd party CA cert (DigiCert). Ensured that the cert with the services had the correct SAN names (webmail.domain.com, autodiscover.domain.com, etc...). The only cert that is left is the 3rd party cert and the self-signed cert.
I did the above two procedures for all virtual directories for the 5 CAS servers that are present within the environment (casserver1, casserver2, casserver3, casserver4, casserver5).
All of that worked great. I created a new DB (rather than reset the RPCClientAccessServer parameter on the existing DBs) moved my mailbox over to the new DB. Did a quick repair of my Outlook profile so it would go to the CASArray(outlook.domain.com). That worked normally.
As a last step I changed the internal DNS records (webmail.domain.com and autodiscover.domain.com) to be 'A' records which point to the IP of the CASArray (outlook.domain.com) which corresponds to the IP of a WNLB (10.x.x.x).
Once I made that change and wanted for DNS replication. My Outlook client started throwing a mismatch certificate error. The odd part is that the cert that Outlook is showing does not exist within the environment anymore. I ran a Get-Certificate command to see if there were any remnants but it returned the two certificates that I explained above.
I even did a IIS Reset and a reboot of the CAS servers however the cert error still appeared. I reverted my DNS change and recreated the CNAME and pointed it back to the casserver1.domain.local. Waited for DNS replication and re-openned Outlook. Outlook responded normally.
So my question is what is going on here? Where am I getting this cert error? Is my thinking correct that I should be using the DNS 'A' record that points to a the WNLB rather than a CNAME that just points to an individual CAS server?