andrewharris
asked on
Help with setup of Exchange server
OK, I have been battling for a while to get this configuration going but no luck.
I have our public domain (xyz.com.au) and our local domain xyz.local. xyz.local is an Active Directory domain, while xyz.com.au is a standard DNS domain.
DNS for xyz.com.au has an entry for mail.xyz.com.au that points to say 1.1.1.75 and DNS internally has mail.xyz.local that points to 192.168.1.252.
Our firewall routes ports 25, 110 and 80 from our mail servers external IP Address to our internal IP Address.
Now, internally, when I use Outlook and add a new mailbox, when I enter a server name of mail.xyz.com.au and a valid username all works fine, but server name gets changed to its internal server name mail.xyz.local. No problems...it works...Just somethiing I noticed.
Now, for the part that doesnt work. I have a number of laptop users, all who have Outlook 2003. I am trying to get RPC over HTTP working So I can use "Exchange over the Internet". The prolem I am having is that when I try to do a Check Name from External to the local network, ie from Home, I get an Internet Explorer Authentication Box from Realm mail.xyz.com.au. The authentication never passes and so I can never get it to work. I cant uses the previously working "Check Name" from on the local network as the server name changed to the internal server name.
Any ideas what is going wrong?
Andrew
I have our public domain (xyz.com.au) and our local domain xyz.local. xyz.local is an Active Directory domain, while xyz.com.au is a standard DNS domain.
DNS for xyz.com.au has an entry for mail.xyz.com.au that points to say 1.1.1.75 and DNS internally has mail.xyz.local that points to 192.168.1.252.
Our firewall routes ports 25, 110 and 80 from our mail servers external IP Address to our internal IP Address.
Now, internally, when I use Outlook and add a new mailbox, when I enter a server name of mail.xyz.com.au and a valid username all works fine, but server name gets changed to its internal server name mail.xyz.local. No problems...it works...Just somethiing I noticed.
Now, for the part that doesnt work. I have a number of laptop users, all who have Outlook 2003. I am trying to get RPC over HTTP working So I can use "Exchange over the Internet". The prolem I am having is that when I try to do a Check Name from External to the local network, ie from Home, I get an Internet Explorer Authentication Box from Realm mail.xyz.com.au. The authentication never passes and so I can never get it to work. I cant uses the previously working "Check Name" from on the local network as the server name changed to the internal server name.
Any ideas what is going wrong?
Andrew
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
They are MAPI errors.
If you remove RPC-HTTP does it work when you are on the network? You need to rule out a problem with your mailbox.
Simon.
If you remove RPC-HTTP does it work when you are on the network? You need to rule out a problem with your mailbox.
Simon.
ASKER
Well, at first I did have the problem while connected localy, but I sorted a DNS problem and that works fine. So now I only get it when connected Remotely.
The problem I get is when I first get Outlook started, it moves straight to being "Disconnected".
Andrew
The problem I get is when I first get Outlook started, it moves straight to being "Disconnected".
Andrew
Going straight to disconnected means that there is still a problem with connection to the Exchange server.
Do the following on network:
Try creating a new profile without the RPC-HTTP settings and see if that connects.
If so, add the RPC-HTTP settings. See if it still connects.
Once you have confirmed the above stages, take the machine off net to see if it works.
Simon.
Do the following on network:
Try creating a new profile without the RPC-HTTP settings and see if that connects.
If so, add the RPC-HTTP settings. See if it still connects.
Once you have confirmed the above stages, take the machine off net to see if it works.
Simon.
ASKER
I did that, thats what my last post was (trying) to say.
Connected locally, with and without RPC-HTTP all is OK. Connected remotely with RPC-HTTP I get this problem. I need to add too, that if I take cached mode off then I cant even start outlook remotely.
Andrew
Connected locally, with and without RPC-HTTP all is OK. Connected remotely with RPC-HTTP I get this problem. I need to add too, that if I take cached mode off then I cant even start outlook remotely.
Andrew
Getting RPC-HTTP to work is a step by step process - trying to rush ahead usually results in problems. It is actually quite complex to get going - but once it is running, very easy to implement and maintain.
When on network start Outlook with the rpcdiag switch
outlook /rpcdiag
All elements should be connecting with https. In addition, if the machine is a member of the domain you shouldn't get prompted for a username and password.
If anything is connecting with TCP/IP then RPC-HTTP isn't working correctly.
Next, repeat the process outside of the network and see which component is failing.
If it works fully inside then there has to be something wrong either with the firewall configuration, dns or something else interfering with the connection.
Simon.
When on network start Outlook with the rpcdiag switch
outlook /rpcdiag
All elements should be connecting with https. In addition, if the machine is a member of the domain you shouldn't get prompted for a username and password.
If anything is connecting with TCP/IP then RPC-HTTP isn't working correctly.
Next, repeat the process outside of the network and see which component is failing.
If it works fully inside then there has to be something wrong either with the firewall configuration, dns or something else interfering with the connection.
Simon.
ASKER
Sembee,
I take your point on rushing and can see why.
I still get a prompt for username/password and have had to set the Proxy Authentication to use Basic Authentication as NTLM never Authenticates sucessfully (This may be due to a group Policy Setting we have...I am looking into that).
Both internally and externally, /rpcdiag show that I am using HTTPS. The part that worries me is that, once Outlook is started, /rpcdiag shows 2 entries, and both are for our Domain Controller. Do I need to make the Exchange Server a Domain Controller?
Andrew
I take your point on rushing and can see why.
I still get a prompt for username/password and have had to set the Proxy Authentication to use Basic Authentication as NTLM never Authenticates sucessfully (This may be due to a group Policy Setting we have...I am looking into that).
Both internally and externally, /rpcdiag show that I am using HTTPS. The part that worries me is that, once Outlook is started, /rpcdiag shows 2 entries, and both are for our Domain Controller. Do I need to make the Exchange Server a Domain Controller?
Andrew
Don't make the Exchange server a domain controller. Lots of people do that and it causes lots of problems. It isn't recommended and Exchange is a lot happier on a member server.
Step back a bit more if you will for a moment please? Does OWA work with that certificate?
You shouldn't be seeing the domain controller listed. For both entries it should be the internal FQDN of the Exchange server. Don't worry - that is by design.
Thus, you have entered mail.domain.com but your internal address is exchange.domain.local then exchange.domain.local is what rpcdiag will show.
The authentication problems are well known - there is a fix for that. http://support.microsoft.com/?kbid=820281
RPC Proxy needs to be installed on the Exchange server.
HTTPS needs to be installed on the Exchange server.
The clients need to be pointing at the Exchange server either internally or externally by DNS - ie mail.domain.com needs to resolve correctly whether you are inside or outside - although the results may be different.
Something isn't right with the setup.
What I should have asked right at the start is whether this is Exchange 2003 SP1 which has been configired with the GUI or Exchange 2003 no sp which has been configuired by manual registry edits. It can make a difference.
Simon.
Step back a bit more if you will for a moment please? Does OWA work with that certificate?
You shouldn't be seeing the domain controller listed. For both entries it should be the internal FQDN of the Exchange server. Don't worry - that is by design.
Thus, you have entered mail.domain.com but your internal address is exchange.domain.local then exchange.domain.local is what rpcdiag will show.
The authentication problems are well known - there is a fix for that. http://support.microsoft.com/?kbid=820281
RPC Proxy needs to be installed on the Exchange server.
HTTPS needs to be installed on the Exchange server.
The clients need to be pointing at the Exchange server either internally or externally by DNS - ie mail.domain.com needs to resolve correctly whether you are inside or outside - although the results may be different.
Something isn't right with the setup.
What I should have asked right at the start is whether this is Exchange 2003 SP1 which has been configired with the GUI or Exchange 2003 no sp which has been configuired by manual registry edits. It can make a difference.
Simon.
ASKER
Simon,
Thanks for your patience....
The Certificate we are using was generated by an internal Cerificate Server for mail.xyz.com.au and works fine. OWA works fine and IE doesnt complain.
When you said "You shouldn't be seeing the domain controller listed", where "shouldnt" I be seeing it? I think you mean in rpcdiag, in which case I definately see the FQDN of my DC wth a "type" of "Directory"
Thanks for your patience....
The Certificate we are using was generated by an internal Cerificate Server for mail.xyz.com.au and works fine. OWA works fine and IE doesnt complain.
When you said "You shouldn't be seeing the domain controller listed", where "shouldnt" I be seeing it? I think you mean in rpcdiag, in which case I definately see the FQDN of my DC wth a "type" of "Directory"
ASKER
opps...Wrong button:-/
Lastly, my Exchange Setup is Exchange 2003 SP1 Configured bu GUI.
Andrew
Lastly, my Exchange Setup is Exchange 2003 SP1 Configured bu GUI.
Andrew
I would usually recommend a purchased certificate. These cause less problems for RPC-HTTP implementations. However as you have managed to get IE to accept the certificate Outlook should be fine.
I did mean in RPCDIAG - when I run it from a production system I built earlier in the year the only server listed is the Exchange server.
Take a look at this page and you will see two screenshots, one of a working installation and one of a fautly installation:
http://www.amset.info/exchange/rpc-http-diag.asp
I have lots of patience - you have to in this industry. Doesn't help that I am around 12 hours different on the time zone (UK).
Simon.
I did mean in RPCDIAG - when I run it from a production system I built earlier in the year the only server listed is the Exchange server.
Take a look at this page and you will see two screenshots, one of a working installation and one of a fautly installation:
http://www.amset.info/exchange/rpc-http-diag.asp
I have lots of patience - you have to in this industry. Doesn't help that I am around 12 hours different on the time zone (UK).
Simon.
ASKER
Simon,
Your patience is appreciated :-).
No hassle on the Timezone diff'. I am normall up at your time, just the last few days I have had no excuses to be up so I haven't been (Take the opportunities when you can ;-)).
From reading through http://www.amset.info/exchange/rpc-http-server.asp I can see one issue that I haven't addressed. Thats the ValidPorts Registry Entry.
I am in the process of doing this now. Will let you know.
Andrew
Your patience is appreciated :-).
No hassle on the Timezone diff'. I am normall up at your time, just the last few days I have had no excuses to be up so I haven't been (Take the opportunities when you can ;-)).
From reading through http://www.amset.info/exchange/rpc-http-server.asp I can see one issue that I haven't addressed. Thats the ValidPorts Registry Entry.
I am in the process of doing this now. Will let you know.
Andrew
ASKER
OK, I am confused....
I take this:
Dual Server Installation - where Exchange is on a separate machine to the domain controller
exchange-server = Backend Exchange Server
dc = Domain Controller with Global Catalog
external.com = External certificate/domain name
exchange-server:6001-6002;
exchange-server.domain.com
dc:6001-6002;
dc.domain.com:6001-6002;
exchange-server:6004;
exchange-server.domain.com
dc:6004;
dc.domain.com:6004;
mail.external.com:6001-600
mail.external.com:6004;
dc:593;
dc.domain.com:593;
exchange-server:593;
exchange-server.domain.com
mail.external.com:593;
And change it to previously documented domain names. Is this right:
mail = Backend Exchange Server
kwik-e-mart = Domain Controller with Global Catalog
xyz.local = Internal Domain
xyz.com.au = External certificate/domain name
mail:6001-6002;
mail.xyz.local:6001-6002;
kwik-e-mart:6001-6002;
kwik-e-mart.xyz.local:6001
mail:6004;
mail.xyz.local:6004;
kwik-e-mart:6004;
kwik-e-mart.xyz.local:6004
mail.xyz.com.au:6001-6002;
mail.xyz.com.au:6004;
kwik-e-mart:593;
kwik-e-mart.xyz.local:593;
mail:593;
mail.xyz.local:593;
mail.xyz.com.au:593;
Andrew
I take this:
Dual Server Installation - where Exchange is on a separate machine to the domain controller
exchange-server = Backend Exchange Server
dc = Domain Controller with Global Catalog
external.com = External certificate/domain name
exchange-server:6001-6002;
exchange-server.domain.com
dc:6001-6002;
dc.domain.com:6001-6002;
exchange-server:6004;
exchange-server.domain.com
dc:6004;
dc.domain.com:6004;
mail.external.com:6001-600
mail.external.com:6004;
dc:593;
dc.domain.com:593;
exchange-server:593;
exchange-server.domain.com
mail.external.com:593;
And change it to previously documented domain names. Is this right:
mail = Backend Exchange Server
kwik-e-mart = Domain Controller with Global Catalog
xyz.local = Internal Domain
xyz.com.au = External certificate/domain name
mail:6001-6002;
mail.xyz.local:6001-6002;
kwik-e-mart:6001-6002;
kwik-e-mart.xyz.local:6001
mail:6004;
mail.xyz.local:6004;
kwik-e-mart:6004;
kwik-e-mart.xyz.local:6004
mail.xyz.com.au:6001-6002;
mail.xyz.com.au:6004;
kwik-e-mart:593;
kwik-e-mart.xyz.local:593;
mail:593;
mail.xyz.local:593;
mail.xyz.com.au:593;
Andrew
ASKER
Well, that did it. I changed it to:
mail:6001-6002;
mail.xyz.local:6001-6002;
kwik-e-mart:6001-6002;
kwik-e-mart.xyz.local:6001
mail:6004;
mail.xyz.local:6004;
kwik-e-mart:6004;
kwik-e-mart.xyz.local:6004
mail.xyz.com.au:6001-6002;
mail.xyz.com.au:6004;
kwik-e-mart:593;
kwik-e-mart.xyz.local:593;
mail:593;
mail.xyz.local:593;
mail.xyz.com.au:593;
And all is now working (After a reboot). Simon...you are a god send...Respect!!!
Andrew
mail:6001-6002;
mail.xyz.local:6001-6002;
kwik-e-mart:6001-6002;
kwik-e-mart.xyz.local:6001
mail:6004;
mail.xyz.local:6004;
kwik-e-mart:6004;
kwik-e-mart.xyz.local:6004
mail.xyz.com.au:6001-6002;
mail.xyz.com.au:6004;
kwik-e-mart:593;
kwik-e-mart.xyz.local:593;
mail:593;
mail.xyz.local:593;
mail.xyz.com.au:593;
And all is now working (After a reboot). Simon...you are a god send...Respect!!!
Andrew
I was tied up all day with a client so couldn't respond... but glad to hear you have it working.
Technically you shouldn't need the registry entries, but there have been various reports of at least some of them still being required.
Thanks for the points...
Simon.
Technically you shouldn't need the registry entries, but there have been various reports of at least some of them still being required.
Thanks for the points...
Simon.
ASKER
One issue though is that I get this now:
Task 'Mailbox - Andrew Harris' reported error (0x8004011D) : 'The server is not available. Contact your administrator if this condition persists.'
Task 'Mailbox - Andrew Harris - Sending' reported error (0x80040115) : 'The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.'
Any ideas?
Andrew