Expired SSL Cert in SBS 2003 or is it?

https://domain.com and https://www.domain.com are two different hosts.
EXBPA will be referring to an SSL certificate stored on the local server.

Simon.

I realize they are different hosts. there is just the pdc for sbs2003. so how do i reconcile the 2? 2 certificates?

The installation of SBS puts a self signed SSL certificate in by default. That is probably what EXBPA is detecting. Look in IIS Manager on the server and see what the certificate there says.

Simon.

The one in IIS is www.domain.com, the one from Best Practices is https://domain.com

Best practises only looks to machines with Exchange installed on them. As you have SBS you only have one server. The only thing I can suggest is to remove that certificate and run the tool again.

Simon.

I have removed the www.domain.com SSL certiificate via IIS and run the tool, but it still says https://domain.com certificate is expired as of 8/15/2005. Don't know where to remove that certificate or where to recreate a new one.

If you ping domain.com - what server responds?
Can you browse to https://domain.com ?

Simon.

I can browse to https but get a blank page. when i ping www.domain.com i get isp server that provides dns.

You pinged the wrong thing.
Ping domain.com - not www.domain.com

Simon.

interesting. pings the Starband the isp we have broadband service from not the isp that does dns service.

Do you have a zone for domain.com in your DNS server?

Simon.

no and this is beginning to feel like therapy. this sbs 2003 server was set up as domain.local because at the time it could not contact domain.com. from what i've found, the server must be completely reinstalled to change that. in my forward lookup zones there are only domain.local and _msdcs.domain.local. i intend to do a complete reinstall sometime soon but wanted to solve the original problem anyway.

You have misunderstood my question.

You have can have zones in your DNS server for domains other than the domain that you are using for active directory.

A very common configuration is to have domain.local as the AD domain, then have a second zone for domain.com so that you can use the same names externally as internally. It is known as split dns and is something that I deploy on most sites that I work with.

SBS likes to install the domain as domain.local and tends to complain if you do anything else. With SBS the trick for a successful deployment is to do everything that the wizard wants you to - don't fight it and the server will operate fine.

What I am trying to work out is why the EXBPA tool is connecting to that web site.

Simon.

Well the only zones listed are the ones I mentioned previously. No domain.com zone. Should I create one via New Zone?

You don't need to create one. The reason I asked was in an attempt to see where EXBPA is getting that SSL certificate from.

What does the server announce itself as?
To check, go in to ESM, Servers, <your server>, Protocols, SMTP. Right click on SMTP and choose Properties. Click on the last tab "Delivery" and then Advanced. What does it say in the box labelled FQDN?

Simon.

it's domain.com

That may explain it.

domain.com isn't a valid hostname for SMTP MX mail delivery. It needs to be host.domain.com (where host can be anything you like and domain.com is your domain name).

If you have your email delivered directly via an MX record, then you should change it to match the name on the MX record.
For example, if your MX record says mail.domain.com then enter mail.domain.com in to that box.

If your email comes in via a POP3 connector or an SMTP feed from the ISP/Host, then ask your domain name registrar to create a new host pointing at your server. If not already used then use mail.domain.com, but you could use anything you like - such as owa.domain.com, post.domain.com etc.

Simon.

This is obviously the heart of the matter. We have one satellite isp with static ip that provides internet service. We have another isp with 2 dialup accounts that resolves or domain name into one of those email accounts and mail is extracted from their server via Outlook 2003. Would prefer that we get our email via our own exchange in sbs2003. So, is creating the mx record in dns and an A record for the isp and the ip for our domain name the correct step? and do we need the isp to change something? Yes , I'm new at this end of the business.