So I’m in the process of moving some mailboxes from an SBS 2003 server to Exchange 2003 on a Windows 2003 Server installation (need more than the 75 licenses that SBS offers). All went really well, except I couldn’t get RPC over HTTP to work on the new install. I was up all night Sunday trying it, and it just wouldn’t take. Worst yet is that I then had to switch everything back because it was getting close to the time people would start using the system.
I’ve since managed to get things working again, but it was a multi-step process.
The first thing that seemed to cause issues was the certificate. It appears that the self-issued certificate from SBS 2003 works a bit differently than a self-issued certificate from a Windows Certificate Authority, and I just could not get the connection made. The problem with RPC over HTTP is that you don’t get much in the way of error messages.
That’s when I stumbled across this tip that talks about testing a connection. Outlook has a command-line option (/rpcdiag) that lets you watch the connection process, and then tells you if you are connected. I can’t say that this actually helped troubleshoot, but it was nice to see that the connection was working.
So I went back to the certificate, and played some more. I found RapidSSL, who offers a free 30-day trial certificate. Sweet! This way I wouldn’t have to worry with the self-issued certificate at all. Except… it still didn’t work. And that’s when it came down to the names I was using.
If you’ve set up this sort of configuration, you know there are two places to specify the server name. One is on the initial page, where you specify your server name in the Microsoft Exchange Server, and your name below it. I found through testing that this name must match the internal name of your server. Furthermore, though they say it can be just a netbios name, I never got that to work. I had to use the fully qualified domain name (FQDN).
The second place to put the server name is when you’re setting up the Exchange proxy settings. This server name can match the other name, if you’re on the the same server, but more specifically, this must match the name on the certificate. So wherever or however you publish your secure RPC directory, the server name on the certificate should be in this field.