Solved

Help with setup of Exchange server

Posted on 2004-09-10
16
313 Views
Last Modified: 2008-01-09
OK, I have been battling for a while to get this configuration going but no luck.

I have our public domain (xyz.com.au) and our local domain xyz.local. xyz.local is an Active Directory domain, while xyz.com.au is a standard DNS domain.

DNS for xyz.com.au has an entry for mail.xyz.com.au that points to say 1.1.1.75 and DNS internally has mail.xyz.local that points to 192.168.1.252.

Our firewall routes ports 25, 110 and 80 from our mail servers external IP Address to our internal IP Address.

Now, internally, when I use Outlook and add a new mailbox, when I enter a server name of mail.xyz.com.au and a valid username all works fine, but server name gets changed to its internal server name mail.xyz.local. No problems...it works...Just somethiing I noticed.

Now, for the part that doesnt work. I have a number of laptop users, all who have Outlook 2003. I am trying to get RPC over HTTP working So I can use "Exchange over the Internet". The prolem I am having is that when I try to do a Check Name from External to the local network, ie from Home, I get an Internet Explorer Authentication Box from Realm mail.xyz.com.au. The authentication never passes and so I can never get it to work. I cant uses the previously working "Check Name" from on the local network as the server name changed to the internal server name.

Any ideas what is going wrong?

Andrew
0
Comment
Question by:andrewharris
  • 9
  • 7
16 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 12025828
With RPC over HTTP you need to configure the same name to work both internally and externally.
This looking like mail.xyz.com.au
Your HTTPS certitficate also needs to be using this name.

You then configure the RPC settings in Account Settings, Connection.
Enable the option "Connect to my Exchange Mailbox using HTTP" and then enter the "Exchange proxy Settings". Throughout the dialogue you will enter the external name - mail.xyz.com.au.

If you want to see a screenshot of a completed configuration, look here: http://www.amset.info/exchange/rpc-http-client.asp

The name check will still resolve to the machine's internal name on your .local domain - it is supposed to do that.

Simon.
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12026246
You are a star...I can now get into Outlook. The missing thing was the 'Use HTTP THEN TCP/IP' for FAST networks was unchecked.

One issue though is that I get this now:
Task 'Mailbox - Andrew Harris' reported error (0x8004011D) : 'The server is not available. Contact your administrator if this condition persists.'
Task 'Mailbox - Andrew Harris - Sending' reported error (0x80040115) : 'The connection to the Microsoft Exchange Server is unavailable.  Outlook must be online or connected to complete this action.'

Any ideas?

Andrew
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12031310
They are MAPI errors.
If you remove RPC-HTTP does it work when you are on the network? You need to rule out a problem with your mailbox.

Simon.
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12031997
Well, at first I did have the problem while connected localy, but I sorted a DNS problem and that works fine. So now I only get it when connected Remotely.

The problem I get is when I first get Outlook started, it moves straight to being "Disconnected".

Andrew
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12034664
Going straight to disconnected means that there is still a problem with connection to the Exchange server.

Do the following on network:

Try creating a new profile without the RPC-HTTP settings and see if that connects.
If so, add the RPC-HTTP settings. See if it still connects.

Once you have confirmed the above stages, take the machine off net to see if it works.

Simon.
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12036577
I did that, thats what my last post was (trying) to say.

Connected locally, with and without RPC-HTTP all is OK. Connected remotely with RPC-HTTP I get this problem. I need to add too, that if I take cached mode off then I cant even start outlook remotely.

Andrew
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12038163
Getting RPC-HTTP to work is a step by step process - trying to rush ahead usually results in problems. It is actually quite complex to get going - but once it is running, very easy to implement and maintain.

When on network start Outlook with the rpcdiag switch

outlook /rpcdiag

All elements should be connecting with https. In addition, if the machine is a member of the domain you shouldn't get prompted for a username and password.
If anything is connecting with TCP/IP then RPC-HTTP isn't working correctly.

Next, repeat the process outside of the network and see which component is failing.

If it works fully inside then there has to be something wrong either with the firewall configuration, dns or something else interfering with the connection.

Simon.
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12040554
Sembee,

I take your point on rushing and can see why.

I still get a prompt for username/password and have had to set the Proxy Authentication to use Basic Authentication as NTLM never Authenticates sucessfully (This may be due to a group Policy Setting we have...I am looking into that).

Both internally and externally, /rpcdiag show that I am using HTTPS. The part that worries me is that, once Outlook is started, /rpcdiag shows 2 entries, and both are for our Domain Controller. Do I need to make the Exchange Server a Domain Controller?

Andrew
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 104

Expert Comment

by:Sembee
ID: 12046996
Don't make the Exchange server a domain controller. Lots of people do that and it causes lots of problems. It isn't recommended and Exchange is a lot happier on a member server.

Step back a bit more if you will for a moment please? Does OWA work with that certificate?

You shouldn't be seeing the domain controller listed. For both entries it should be the internal FQDN of the Exchange server. Don't worry - that is by design.

Thus, you have entered mail.domain.com but your internal address is exchange.domain.local then exchange.domain.local is what rpcdiag will show.

The authentication problems are well known - there is a fix for that. http://support.microsoft.com/?kbid=820281

RPC Proxy needs to be installed on the Exchange server.
HTTPS needs to be installed on the Exchange server.
The clients need to be pointing at the Exchange server either internally or externally by DNS - ie mail.domain.com needs to resolve correctly whether you are inside or outside - although the results may be different.
Something isn't right with the setup.

What I should have asked right at the start is whether this is Exchange 2003 SP1 which has been configired with the GUI or Exchange 2003 no sp which has been configuired by manual registry edits. It can make a difference.

Simon.
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12049066
Simon,

Thanks for your patience....

The Certificate we are using was generated by an internal Cerificate Server for mail.xyz.com.au and works fine. OWA works fine and IE doesnt complain.

When you said "You shouldn't be seeing the domain controller listed", where "shouldnt" I be seeing it? I think you mean in rpcdiag, in which case I definately see the FQDN of my DC wth a "type" of "Directory"
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12049082
opps...Wrong button:-/

Lastly, my Exchange Setup is Exchange 2003 SP1 Configured bu GUI.


Andrew
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12049439
I would usually recommend a purchased certificate. These cause less problems for RPC-HTTP implementations. However as you have managed to get IE to accept the certificate Outlook should be fine.

I did mean in RPCDIAG - when I run it from a production system I built earlier in the year the only server listed is the Exchange server.
Take a look at this page and you will see two screenshots, one of a working installation and one of a fautly installation:

http://www.amset.info/exchange/rpc-http-diag.asp

I have lots of patience - you have to in this industry. Doesn't help that I am around 12 hours different on the time zone (UK).

Simon.
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12050711
Simon,

Your patience is appreciated :-).

No hassle on the Timezone diff'. I am normall up at your time, just the last few days I have had no excuses to be up so I haven't been (Take the opportunities when you can ;-)).

From reading through http://www.amset.info/exchange/rpc-http-server.asp I can see one issue that I haven't addressed. Thats the ValidPorts Registry Entry.

I am in the process of doing this now. Will let you know.

Andrew
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12050919
OK, I am confused....

I take this:

Dual Server Installation - where Exchange is on a separate machine to the domain controller

exchange-server = Backend Exchange Server
dc = Domain Controller with Global Catalog
external.com = External certificate/domain name

exchange-server:6001-6002;
exchange-server.domain.com:6001-6002;
dc:6001-6002;
dc.domain.com:6001-6002;
exchange-server:6004;
exchange-server.domain.com:6004;
dc:6004;
dc.domain.com:6004;
mail.external.com:6001-6002;
mail.external.com:6004;
dc:593;
dc.domain.com:593;
exchange-server:593;
exchange-server.domain.com:593;
mail.external.com:593;

And change it to previously documented domain names. Is this right:

mail = Backend Exchange Server
kwik-e-mart = Domain Controller with Global Catalog
xyz.local = Internal Domain
xyz.com.au = External certificate/domain name

mail:6001-6002;
mail.xyz.local:6001-6002;
kwik-e-mart:6001-6002;
kwik-e-mart.xyz.local:6001-6002;
mail:6004;
mail.xyz.local:6004;
kwik-e-mart:6004;
kwik-e-mart.xyz.local:6004;
mail.xyz.com.au:6001-6002;
mail.xyz.com.au:6004;
kwik-e-mart:593;
kwik-e-mart.xyz.local:593;
mail:593;
mail.xyz.local:593;
mail.xyz.com.au:593;

Andrew
0
 
LVL 4

Author Comment

by:andrewharris
ID: 12053625
Well, that did it. I changed it to:

mail:6001-6002;
mail.xyz.local:6001-6002;
kwik-e-mart:6001-6002;
kwik-e-mart.xyz.local:6001-6002;
mail:6004;
mail.xyz.local:6004;
kwik-e-mart:6004;
kwik-e-mart.xyz.local:6004;
mail.xyz.com.au:6001-6002;
mail.xyz.com.au:6004;
kwik-e-mart:593;
kwik-e-mart.xyz.local:593;
mail:593;
mail.xyz.local:593;
mail.xyz.com.au:593;

And all is now working (After a reboot). Simon...you are a god send...Respect!!!

Andrew
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12058657
I was tied up all day with a client so couldn't respond... but glad to hear you have it working.
Technically you shouldn't need the registry entries, but there have been various reports of at least some of them still being required.

Thanks for the points...

Simon.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now