In some cases you will receive an error "Could not establish trust relationship for the SSL/TLS secure channel with authority 'CASName.domain.com'." when trying perform a native move request.
When a Native Move Request is performed the MAgE agent creates the New-MoveRequest PowerShell Cmdlet and submits it to Exchange.
Execute PowerShell: New-MoveRequest -Identity 01ea8b4f-0c51-4f4e-91b8-298cb9d506c6 -TargetDatabase 0671fccb-5b85-4256-8527-005d8cfc5bd0 -RemoteGlobalCatalog SourceDC.sourcedomain.com -RemoteCredential [sourcedomain\serviceacco] -TargetDeliveryDomain targetdomain.com -BatchName QMMEX(2BB01037-E212-4872-8363-D15DB47FF6A3), TargetDB(0671fccb-5b85-4256-8527-005d8cfc5bd0) -BadItemLimit 10 -SuspendWhenReadyToComplete -Remote -RemoteHostName CASName.domain.com
You can see that the -RemoteHostName value "CASName.domain.com" matches the server in the error above. There is no place to configure this value within MMEX (Migration Manager for Exchange) so then where does the tool get this value to populate the -RemoteHostName parameter?
The MAgE Agent gets the -RemoteHostName value from the LEDN (Legacy Exchange Domain Name) property of the mailbox database. From there it finds the RPCClientAccessServer attribute and populates the -RemoteHostName property.
In most cases this is not an issue as the server name is either that of an Exchange Server or that of a CAS Array and both of which have a SAN or Server Certificate associated with it. In rare cases where the RPCClientAccessServer attribute doesn't have a shared namespace with a certificate this can generate the error referenced in the problem description.
So then how can this be changed so that the MAgE doesn't use the CAS Array and it uses the CAS Server instead if you can't configure the MAgE within MMEX?
Use the following command to associate a database with a Client Access server or Client Access array:
Set-MailboxDatabase <Database_name> -RpcClientAccessServer <ClientAccess ServerName or ClientAccess-ArrayName>
This command changes the legacyExchangeDN attribute of the Mailbox Database. The value is stored in the following location:
CN=Mailbox Database ##########,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
After this is done the MAgE will see the change and connect to the CAS Server instead of the CAS Array namespace.
*** It is important to note that changing the RPCClientAccessServer attribute from the CAS Array to a Server will break the high availablity of that mailbox database. Depending on your migration strategy you can create a new mailbox database and modify the RPCClientAccessServer to a CAS Server to be used, and then move the users to be migrated to that migration database.