edz_pgt
asked on
SBS2008, Autodiscover & Out of Office Replies
Before I make a complete mess of an SBS server, I'd like to check with the experts!
I have a client site where there is an Autodiscover security certificate error every time they launch Outlook. I've overlooked this as it's never really caused an issue before.
However, a user now wants to configure an out of office reply and the system says she can't because she's not connected to the server. The server status at the bottom of outlook says she's connected and all other mail functions appear normal.
After a bit of Googling, it appears that the Autodiscover issue is preventing the out of office assistant from starting. However, it should be possible to configure the out of office reply from OWA. I've tried this and although it lets me configure it, the replies don't appear to be working. This may or may not be me doing it wrong but may also be connected, too.
The certificate error on the Autodiscover side of things relates to the certificate name not being the same as the address of the server. However, I'm not sure if this is actually the true.
My question is this - I've seen references to entering commands into the Exchange console to correct the certificate issue but I'm nervous about doing anything here since SBS systems prefer to use wizards.
Can anyone advise the best way to correct this on a Small Business Server 2008 please.
I have a client site where there is an Autodiscover security certificate error every time they launch Outlook. I've overlooked this as it's never really caused an issue before.
However, a user now wants to configure an out of office reply and the system says she can't because she's not connected to the server. The server status at the bottom of outlook says she's connected and all other mail functions appear normal.
After a bit of Googling, it appears that the Autodiscover issue is preventing the out of office assistant from starting. However, it should be possible to configure the out of office reply from OWA. I've tried this and although it lets me configure it, the replies don't appear to be working. This may or may not be me doing it wrong but may also be connected, too.
The certificate error on the Autodiscover side of things relates to the certificate name not being the same as the address of the server. However, I'm not sure if this is actually the true.
My question is this - I've seen references to entering commands into the Exchange console to correct the certificate issue but I'm nervous about doing anything here since SBS systems prefer to use wizards.
Can anyone advise the best way to correct this on a Small Business Server 2008 please.
please read my article here
https://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2007-2010-Web-services-and-Autodiscover-Ultimate-Troubleshooting-Guide.html
it explains all what you need
https://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2007-2010-Web-services-and-Autodiscover-Ultimate-Troubleshooting-Guide.html
it explains all what you need
ASKER
Wow! - thanks for the quick responses. I obviously havn't had time to read the articles yet but wanted to ask your advice while you're still online.
Is it possible to fix this without re-issuing a new security certificate? This would be a real pain in the you-know-what!
Is it possible to fix this without re-issuing a new security certificate? This would be a real pain in the you-know-what!
ASKER
ok - looking at the articles, it seems a bit complex and I need some clarification please. These issues may be in areas that you've spend considerable time with but I'm a bit fresh to the whole thing.
If we were to say that the certificate address is https://office.domain.com then what exactly should I be doing, (and where) please.
If we were to say that the certificate address is https://office.domain.com then what exactly should I be doing, (and where) please.
ASKER
I should also add that this particular user is internal. Therefore, this might have an impact on the certificate addressing.
Please run this on exch shell and copy paste here.
Get-WebServicesVirtualDire ctory | fl
Also - you need a correctly configured UCC/SAN issued to the following domains for your Exchange / iPhones / Windows phones / autodiscover and OOF to work properly.
UCC/SAN issued to
mail.domain.com (external FQDN)
autodiscover.domain.com (external)
mail.domain.local (internal FQDN)
mail (SERVERNAME)
thanks
Get-WebServicesVirtualDire
Also - you need a correctly configured UCC/SAN issued to the following domains for your Exchange / iPhones / Windows phones / autodiscover and OOF to work properly.
UCC/SAN issued to
mail.domain.com (external FQDN)
autodiscover.domain.com (external)
mail.domain.local (internal FQDN)
mail (SERVERNAME)
thanks
ASKER
Somthing else that springs to mind is that this customer (as with ourselves and all of our customers) use the self-signed certificate.
Autodiscover isn't really something we want to use - ie it's not important that it works as far as I can tell. Just as long as it doesn't stop us doing other things.
I've substituted the customer's server name with 'servername' and their internal and external domains with 'customername' (although I've left the TLD in tact).
InternalNLBBypassUrl : https://servername.customerdomain.local/EWS/Exch
ange.asmx
Name : EWS (SBS Web Applications)
InternalAuthenticationMeth ods : {Ntlm, WindowsIntegrated, Basic}
ExternalAuthenticationMeth ods : {Ntlm, WindowsIntegrated, Basic}
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://servername.customern ame.local/ W3SVC/3/RO
OT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\exchweb\EWS
Server : servername
InternalUrl : https://office.customername.com/EWS/Exchange.a
smx
ExternalUrl : https://office.customername.com/EWS/Exchange.a
smx
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=EWS (SBS Web Applications),CN=HTTP,CN=P rotoc
ols,CN=servername,CN=Serve rs,CN=Exch ange Admini
strative Group (FYDIBOHF23SPDLT),CN=Admin istrat
ive Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co nfiguratio n,DC=custo mername,DC =local
Identity : servername\EWS (SBS Web Applications)
Guid : a69fbf2b-02b1-499a-a87d-a6 404ffe89f7
ObjectCategory : customername.local/Configu ration/Sch ema/ms-Exc
h-Web-Services-Virtual-Dir ectory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServices
VirtualDirectory}
WhenChanged : 20/01/2010 16:36:36
WhenCreated : 19/01/2010 17:42:07
OriginatingServer : servername.customername.lo cal
IsValid : True
Autodiscover isn't really something we want to use - ie it's not important that it works as far as I can tell. Just as long as it doesn't stop us doing other things.
I've substituted the customer's server name with 'servername' and their internal and external domains with 'customername' (although I've left the TLD in tact).
InternalNLBBypassUrl : https://servername.customerdomain.local/EWS/Exch
ange.asmx
Name : EWS (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://servername.customern
OT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\exchweb\EWS
Server : servername
InternalUrl : https://office.customername.com/EWS/Exchange.a
smx
ExternalUrl : https://office.customername.com/EWS/Exchange.a
smx
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=EWS (SBS Web Applications),CN=HTTP,CN=P
ols,CN=servername,CN=Serve
strative Group (FYDIBOHF23SPDLT),CN=Admin
ive Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co
Identity : servername\EWS (SBS Web Applications)
Guid : a69fbf2b-02b1-499a-a87d-a6
ObjectCategory : customername.local/Configu
h-Web-Services-Virtual-Dir
ObjectClass : {top, msExchVirtualDirectory, msExchWebServices
VirtualDirectory}
WhenChanged : 20/01/2010 16:36:36
WhenCreated : 19/01/2010 17:42:07
OriginatingServer : servername.customername.lo
IsValid : True
InternalUrl : https://office.customername.com/EWS/Exchange.a
smx
ExternalUrl : https://office.customername.com/EWS/Exchange.a
smx
--
that is wrong.
For internal URL it should be directed to - servername.customername.lo cal - Internal FQDN
for external URL it should be directed to - mail.domain.com > external
- run this from exchange shell
Get-WebServicesVirtualDire ctory | Set-WebservicesVirtualDire ctory -internalurl https://servername.customername.local/EWS/Exchange.asmx -BasicAuthentication:$True
Restart this service after that.
start> run > services.msc
MSExchangeMailboxAssistant s
See if that works, otherwise for testing you can also run this and check if it works.
--
Set-SenderFilterConfig -Enabled $false
smx
ExternalUrl : https://office.customername.com/EWS/Exchange.a
smx
--
that is wrong.
For internal URL it should be directed to - servername.customername.lo
for external URL it should be directed to - mail.domain.com > external
- run this from exchange shell
Get-WebServicesVirtualDire
Restart this service after that.
start> run > services.msc
MSExchangeMailboxAssistant
See if that works, otherwise for testing you can also run this and check if it works.
--
Set-SenderFilterConfig -Enabled $false
ASKER
Thanks.
I've done as you say (obviously I amended the server and domain details first) but this doesn't appear to have made any difference.
I'm not sure what to expect, but when I ran the Set-SenderFilteringConfig command, I didn't get any response. It just accepted the command and returned me to the command prompt.
I don't know if this is relevant but when launchin Outlook, the client gets the Autodiscover certificate error. This states that it was issued by Plesk. Can't imagine why that would be. However, if the client goes to https://servername/owa and clicks the certificate, then the correct details are displayed (ie the https:office. ... etc.)
I've done as you say (obviously I amended the server and domain details first) but this doesn't appear to have made any difference.
I'm not sure what to expect, but when I ran the Set-SenderFilteringConfig command, I didn't get any response. It just accepted the command and returned me to the command prompt.
I don't know if this is relevant but when launchin Outlook, the client gets the Autodiscover certificate error. This states that it was issued by Plesk. Can't imagine why that would be. However, if the client goes to https://servername/owa and clicks the certificate, then the correct details are displayed (ie the https:office. ... etc.)
did you setup autodiscover as well, you need it to work internally correctly as well.
good point by busbar.
can you run this
get-autodiscovervirtualdir ectory | fl
and copy paste the results here.
can you run this
get-autodiscovervirtualdir
and copy paste the results here.
ASKER
Thanks busbar - I hadn't done that. I have worked out the syntax and set this correctly now although, again, it hasn't changed anything. (I restarted the mailbox assistants service again, too).
Just having a 'homer moment' though - autodiscover.companyname.c om doesn't exist as an A record on teh DNS of the external domain. I'm guessing this might be an issue?
Just having a 'homer moment' though - autodiscover.companyname.c
yes you are correct, you need it also in the internal DNS if you don't use internal name in the internal SCP
We are dealing with internal Autodiscover at this point.
External autodiscover is required for RPC/HTTPS.
Please run this
get-autodiscovervirtualdir ectory | fl
External autodiscover is required for RPC/HTTPS.
Please run this
get-autodiscovervirtualdir
ASKER
busbar, could you expand on that internal domain comment please? ...and what does SCP stand for?
SCP service connection point
externally outlook clients uses autodiscover.domain.com while internally it queries the active directory using the SCP to connect to specific URL this is set to the first CAS internal FQDN by default and you can change it as I specified in my article.
externally outlook clients uses autodiscover.domain.com while internally it queries the active directory using the SCP to connect to specific URL this is set to the first CAS internal FQDN by default and you can change it as I specified in my article.
ASKER
ok - sorry but I'm lost now. I can't see anything obvious in your article and I'm not sure I can work this out.
I'm guessing I need to be adding an A record to the DNS in the SBS server that points autodiscover.companyname.c om to the internal IP of the server. Am I right? If so, I'm a bit rusty on this so I'd appreciate someone reminding me how to do that.
I'm guessing I need to be adding an A record to the DNS in the SBS server that points autodiscover.companyname.c
Can you run this from exch shell and post the results here.
get-autodiscovervirtualdir ectory | fl
thanks
get-autodiscovervirtualdir
thanks
ASKER
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://servername.customern
OT/Autodiscover
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\Autodiscover
Server : servername
InternalUrl : https://servername.customername.local/EWS/Exch
ange.asmx
ExternalUrl : https://office.customername.com/Autodiscover/A
utodiscover.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP,
CN=Protocols,CN=servername
ge Administrative Group (FYDIBOHF23SPDLT),CN=Ad
ministrative Groups,CN=First Organization,CN=Mi
crosoft Exchange,CN=Services,CN=Co
C=customername,DC=local
Identity : servername\Autodiscover (SBS Web Applications)
Guid : 74b93ebf-2690-434b-b0f4-08
ObjectCategory : customername.local/Configu
h-Auto-Discover-Virtual-Di
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove
rVirtualDirectory}
WhenChanged : 11/08/2010 12:35:24
WhenCreated : 19/01/2010 17:42:29
OriginatingServer : servername.customername.lo
IsValid : True
this is your problem >>
InternalUrl : https://servername.customername.local/EWS/Exchange.asmx
Get-AutodiscoverVirtualDir ectory | Set-AutodiscoverVirtualDir ectory -InternalUrl "https://servername.customername.local/Autodiscover/Autodiscover.xml"
InternalUrl : https://servername.customername.local/EWS/Exchange.asmx
Get-AutodiscoverVirtualDir
as I said you need to change the internal URL from the server FQDN to the office.customernaname.com
use:
Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceIntern alUri: https://office.customername.com/Autodiscover/Autodiscover.xm
use:
Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceIntern
Hi Sunny,
updating the internal SCP is done using the set-clientaccessserver not set-autodiscovervirtualdir ectory
updating the internal SCP is done using the set-clientaccessserver not set-autodiscovervirtualdir
Could it be that its modifying the same object ?
I checked the technet article on modifying autodiscover SCP's. Your syntax is correct.
I have used the above command successfully.
I checked the technet article on modifying autodiscover SCP's. Your syntax is correct.
I have used the above command successfully.
ASKER
I'm still no further on this I'm afraid. I've upated the autodiscover internal URL though:
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://servername.companyna me.local/W 3SVC/3/RO
OT/Autodiscover
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\Autodiscover
Server : servername
InternalUrl : https://servername.companyname.local/Autodisc
over/Autodiscover.xml
ExternalUrl : https://office.companyname.com/Autodiscover/A
utodiscover.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP,
CN=Protocols,CN=servername ,CN=Server s,CN=Excha n
ge Administrative Group (FYDIBOHF23SPDLT),CN=Ad
ministrative Groups,CN=First Organization,CN=Mi
crosoft Exchange,CN=Services,CN=Co nfiguratio n,D
C=companyname,DC=local
Identity : servername\Autodiscover (SBS Web Applications)
Guid : 74b93ebf-2690-434b-b0f4-08 f5ed6a5b50
ObjectCategory : companyname.local/Configur ation/Sche ma/ms-Exc
h-Auto-Discover-Virtual-Di rectory
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove
rVirtualDirectory}
WhenChanged : 11/08/2010 13:49:26
WhenCreated : 19/01/2010 17:42:29
OriginatingServer : servername.companyname.loc al
IsValid : True
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://servername.companyna
OT/Autodiscover
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\Autodiscover
Server : servername
InternalUrl : https://servername.companyname.local/Autodisc
over/Autodiscover.xml
ExternalUrl : https://office.companyname.com/Autodiscover/A
utodiscover.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP,
CN=Protocols,CN=servername
ge Administrative Group (FYDIBOHF23SPDLT),CN=Ad
ministrative Groups,CN=First Organization,CN=Mi
crosoft Exchange,CN=Services,CN=Co
C=companyname,DC=local
Identity : servername\Autodiscover (SBS Web Applications)
Guid : 74b93ebf-2690-434b-b0f4-08
ObjectCategory : companyname.local/Configur
h-Auto-Discover-Virtual-Di
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove
rVirtualDirectory}
WhenChanged : 11/08/2010 13:49:26
WhenCreated : 19/01/2010 17:42:29
OriginatingServer : servername.companyname.loc
IsValid : True
Did you restart this service
start> run > services.msc
MSExchangeMailboxAssistant s
start> run > services.msc
MSExchangeMailboxAssistant
ASKER
ok - Thanks for the input so far. Just to keep you up to speed, I'm convinced that the incorrect external DNS resolution of autodiscover.companyname.c om has got to be a bad thing so I'm waiting for it to propogate before I have a stab at anything else.
I'll come back once this has been resolved.
I'll come back once this has been resolved.
ASKER
Right. Now that the DNS has propogated I have a new problem.
The security alert that pops up when you launch Outlook used to be happy with items 1 and 2 but failed on the 3rd element which is "The name on the security certificate is invalid or does not match the name of the site".
It now fails on points 1 and 3. The first one says "The security certificate was issued by a company you have not chosen to trust."
When I view the certificate I now see that it is:
Issued to: office.customername.com
Issued by: customername-SERVERNAME-CA
Valid from: 20/01/2010 to 20/01/2012
Yesterday, this certificate said it was issued by plesk.
Anyway, I've tried installing the certificate (I was logged in as the user though) and I tried instlling it automatically and also into the trusted root authority.
Help! :)
The security alert that pops up when you launch Outlook used to be happy with items 1 and 2 but failed on the 3rd element which is "The name on the security certificate is invalid or does not match the name of the site".
It now fails on points 1 and 3. The first one says "The security certificate was issued by a company you have not chosen to trust."
When I view the certificate I now see that it is:
Issued to: office.customername.com
Issued by: customername-SERVERNAME-CA
Valid from: 20/01/2010 to 20/01/2012
Yesterday, this certificate said it was issued by plesk.
Anyway, I've tried installing the certificate (I was logged in as the user though) and I tried instlling it automatically and also into the trusted root authority.
Help! :)
ASKER
I also find it constantly asks for the user's login username and password now.
ASKER
It's all gone very quiet :(
Can anyone else shed any light on this please?
Can anyone else shed any light on this please?
hey I was sleeping. Just woke up (I an in EST). Will check this and post back...
ASKER
LOL - how dare you be asleep when I start work at GMT+1 !!
;o)
;o)
;) EE is taking over my life..
For this error:
The security certificate was issued by a company you have not chosen to trust.
http://support.microsoft.com/kb/297681
Go here
c:\windows\system32\certsr v\Certenro ll
Double click on the cert which is there and see who was it issued to.
-
If you have the correct cert, you can export and import it back.
here's a tool which helps you do this.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
The security certificate was issued by a company you have not chosen to trust.
http://support.microsoft.com/kb/297681
Go here
c:\windows\system32\certsr
Double click on the cert which is there and see who was it issued to.
-
If you have the correct cert, you can export and import it back.
here's a tool which helps you do this.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
ASKER
I'm getting a little further (I think)...
I've managed to resolve the error 1 "The security certificate was issued by a company you have not chosen to trust." by importing the certificate directly from a CER file rather than from the certificate popup itself.
I've also got the DNS working better.
office.customername.com now resolves INTERNALLY to the server's internal IP
autodiscover.customername. com now resolves INTERNALLY to the server's internal IP
office.customername.com now resolves EXTERNALLY to the office's external IP
autodiscover.customername. com now resolves EXTERNALLY to the office's external IP
Still struggling with error 3 on the certificate popup though:
"The name on the security certificate does not match..."
I've managed to resolve the error 1 "The security certificate was issued by a company you have not chosen to trust." by importing the certificate directly from a CER file rather than from the certificate popup itself.
I've also got the DNS working better.
office.customername.com now resolves INTERNALLY to the server's internal IP
autodiscover.customername.
office.customername.com now resolves EXTERNALLY to the office's external IP
autodiscover.customername.
Still struggling with error 3 on the certificate popup though:
"The name on the security certificate does not match..."
Are you getting that from OWA or outlook ?
ASKER
Outlook
Your cert has to have these 4 names
mail.domain.com (external FQDN)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal FQDN)
mail (Internal Servername)
mail.domain.com (external FQDN)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal FQDN)
mail (Internal Servername)
ASKER
Don't forget that this is a self-signed cert - is this possible to do?
I was looking at this page here:
http://support.microsoft.com/kb/940726
I'm thinking that now that my internal clients resolve https://autodiscover.companyname.com to the server's internal IP, I should possibly do as the KB says and set the internaluri to be the external address.
What do you think?
I was looking at this page here:
http://support.microsoft.com/kb/940726
I'm thinking that now that my internal clients resolve https://autodiscover.companyname.com to the server's internal IP, I should possibly do as the KB says and set the internaluri to be the external address.
What do you think?
Check from this path
c:\windows\system32\certsr v\Certenro ll
If it is issued to these.
mail.domain.local (internal FQDN)
mail (Internal Servername)
--
From outlook
Go here
Tools > Account Settings
Click on the E-mail tab
click Repair.
c:\windows\system32\certsr
If it is issued to these.
mail.domain.local (internal FQDN)
mail (Internal Servername)
--
From outlook
Go here
Tools > Account Settings
Click on the E-mail tab
click Repair.
From that link above
What is your internal URL ? > the FQDN of the CAS server
or the First MX record - mail.domain.com ?
if you are using autodiscover.companyname.c om > did you create a DNS entry for that to point to the CAS server ?
Try outlook refresh steps above.
What is your internal URL ? > the FQDN of the CAS server
or the First MX record - mail.domain.com ?
if you are using autodiscover.companyname.c
Try outlook refresh steps above.
ASKER
The cert is issued to:
customername-SERVERNAME-CA
customername-SERVERNAME-CA
Any luck ?
That is probably the self signed. Where is your plesk cert then ?
ASKER
sorry - on phone - 2mins
Either you can run a get-exchange certficate | fl
Or use the u-btech tool from the link above to manage it
Or use the u-btech tool from the link above to manage it
Ok. I will go take a shower and get some coffee
ASKER
The CAS server internal URI is https://office.customername.com/Autodiscover/Autodiscover.xml
Yes, autodiscover.companyname.c om internally points to the server's internal IP and externally points to the WAN IP.
I'm getting access denied when trying to get the certificate from the exchange console and I can't see the u-btec thing you mentioned.
Was the coffee good?
Yes, autodiscover.companyname.c
I'm getting access denied when trying to get the certificate from the exchange console and I can't see the u-btec thing you mentioned.
Was the coffee good?
ASKER
Certificate:
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule}
CertificateDomains : {SERVERNAME.companyname.lo cal}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME- CA
NotAfter : 28/04/2011 11:30:28
NotBefore : 28/04/2010 11:30:28
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 611C9C9C000000000006
Services : IMAP, POP
Status : Valid
Subject : CN=SERVERNAME.companyname. local
Thumbprint : 5C270961497DEA0FD9B44E4581 98D2F5B896 90F9
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {office.companyname.com, companyname.com, SERVERNAME.b
raemoregroup.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME- CA
NotAfter : 20/01/2012 16:26:16
NotBefore : 20/01/2010 16:26:16
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61FD8FD5000000000005
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=office.companyname.com
Thumbprint : D82FB69D18C62838D0F534E0AD 98BAF4A7F9 9280
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {remote.companyname.com, companyname.com, SERVERNAME.b
raemoregroup.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME- CA
NotAfter : 20/01/2012 16:18:31
NotBefore : 20/01/2010 16:18:31
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61F67CE1000000000004
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=remote.companyname.com
Thumbprint : D332064DB6A4B657894E85A500 1EB03D5DCF 3550
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {SERVERNAME.companyname.lo cal}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=SERVERNAME.companyname. local
NotAfter : 19/01/2013 00:00:00
NotBefore : 20/01/2010 00:00:00
PublicKeySize : 1024
RootCAType : None
SerialNumber : C74B522D8D36388841C210C141 A3005F
Services : IMAP, POP
Status : Valid
Subject : CN=SERVERNAME.companyname. local
Thumbprint : C4D922B54D5801102073DB6D28 4303E5C7B1 2551
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {Sites, SERVERNAME.companyname.loc al}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME- CA
NotAfter : 19/01/2012 17:17:01
NotBefore : 19/01/2010 17:17:01
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6105ABC8000000000002
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 1314EF6C4C9619181FF0B47C34 B836BB5168 7E9E
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule}
CertificateDomains : {companyname-SERVERNAME-CA }
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=companyname-SERVERNAME- CA
NotAfter : 19/01/2015 17:25:59
NotBefore : 19/01/2010 17:16:00
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 4391B22687797CB0412BF317BC B97E1F
Services : None
Status : Valid
Subject : CN=companyname-SERVERNAME- CA
Thumbprint : 2311E5A17ADF65D6211495FC13 A07974BF4C 5D08
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule}
CertificateDomains : {WMSvc-WIN-SLMEVBZKJWT}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-WIN-SLMEVBZKJWT
NotAfter : 17/01/2020 15:47:36
NotBefore : 19/01/2010 15:47:36
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1FDA25B136928ABA4FEEA662E3 05CA59
Services : None
Status : Valid
Subject : CN=WMSvc-WIN-SLMEVBZKJWT
Thumbprint : 4570574D2E24340CAC68067FF4 34AD663860 957C
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {SERVERNAME.companyname.lo
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME-
NotAfter : 28/04/2011 11:30:28
NotBefore : 28/04/2010 11:30:28
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 611C9C9C000000000006
Services : IMAP, POP
Status : Valid
Subject : CN=SERVERNAME.companyname.
Thumbprint : 5C270961497DEA0FD9B44E4581
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {office.companyname.com, companyname.com, SERVERNAME.b
raemoregroup.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME-
NotAfter : 20/01/2012 16:26:16
NotBefore : 20/01/2010 16:26:16
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61FD8FD5000000000005
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=office.companyname.com
Thumbprint : D82FB69D18C62838D0F534E0AD
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.companyname.com, companyname.com, SERVERNAME.b
raemoregroup.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME-
NotAfter : 20/01/2012 16:18:31
NotBefore : 20/01/2010 16:18:31
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61F67CE1000000000004
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=remote.companyname.com
Thumbprint : D332064DB6A4B657894E85A500
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {SERVERNAME.companyname.lo
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=SERVERNAME.companyname.
NotAfter : 19/01/2013 00:00:00
NotBefore : 20/01/2010 00:00:00
PublicKeySize : 1024
RootCAType : None
SerialNumber : C74B522D8D36388841C210C141
Services : IMAP, POP
Status : Valid
Subject : CN=SERVERNAME.companyname.
Thumbprint : C4D922B54D5801102073DB6D28
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {Sites, SERVERNAME.companyname.loc
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME-
NotAfter : 19/01/2012 17:17:01
NotBefore : 19/01/2010 17:17:01
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6105ABC8000000000002
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 1314EF6C4C9619181FF0B47C34
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {companyname-SERVERNAME-CA
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=companyname-SERVERNAME-
NotAfter : 19/01/2015 17:25:59
NotBefore : 19/01/2010 17:16:00
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 4391B22687797CB0412BF317BC
Services : None
Status : Valid
Subject : CN=companyname-SERVERNAME-
Thumbprint : 2311E5A17ADF65D6211495FC13
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {WMSvc-WIN-SLMEVBZKJWT}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-WIN-SLMEVBZKJWT
NotAfter : 17/01/2020 15:47:36
NotBefore : 19/01/2010 15:47:36
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1FDA25B136928ABA4FEEA662E3
Services : None
Status : Valid
Subject : CN=WMSvc-WIN-SLMEVBZKJWT
Thumbprint : 4570574D2E24340CAC68067FF4
here's a tool which helps you do this.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
this is the one
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {office.companyname.com, companyname.com, SERVERNAME.b
raemoregroup.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME- CA
NotAfter : 20/01/2012 16:26:16
NotBefore : 20/01/2010 16:26:16
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61FD8FD5000000000005
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=office.companyname.com
Thumbprint : D82FB69D18C62838D0F534E0AD 98BAF4A7F9 9280
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {office.companyname.com, companyname.com, SERVERNAME.b
raemoregroup.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=companyname-SERVERNAME-
NotAfter : 20/01/2012 16:26:16
NotBefore : 20/01/2010 16:26:16
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61FD8FD5000000000005
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=office.companyname.com
Thumbprint : D82FB69D18C62838D0F534E0AD
Use the u-btech tool above to remove / import the cert's.
yep It was good @ coffee. Starting by day - heading out to office.
ASKER
ok - I've managed to export the certificate using u-btech but how do I edit it and get it back in?
Will I then need to visit every device to re-install the a new certificate? (Major issue!)
Will I then need to visit every device to re-install the a new certificate? (Major issue!)
You can't edit it. You can import using ubtech tool too
You can't edit it. You can import using ubtech tool too
ASKER
So... if I can't edit it, what should I be importing?
and... what effect will the import have on existing users?
and... what effect will the import have on existing users?
You get the certificate from plesk / Godaddy with these domains on it.
mail.domain.com (external FQDN)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal FQDN)
mail (Internal Servername)
you configure this at that time when you are buying the cert.
--
existing users - if they are using outlook / OWA - they will get the new certificate when they disconnect and reconnect.
i am trying to think of any other implication...will post back.
mail.domain.com (external FQDN)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal FQDN)
mail (Internal Servername)
you configure this at that time when you are buying the cert.
--
existing users - if they are using outlook / OWA - they will get the new certificate when they disconnect and reconnect.
i am trying to think of any other implication...will post back.
ASKER
so, is it not possible to run with a self-signed cert?
ASKER
We also have a few iPhone users who are posted across Europe. Installing the certificate originally involved setting up a temporary gmail account, emailing the cert to it, getting the user's iphone configured for that account, downloading and installing the cert and then deleting the gmail account from their phones again.
I don't really fancy going through all that again if I can help it!
I don't really fancy going through all that again if I can help it!
it is possible to run self signed
iPhone will go through with self signed - but Windows Mobile phones and Droid's may not work.
ASKER
So, what should i be doing to correct the self-signed cert?
you cannot correct self-signed, you can issue a new one
See the steps here
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
See the steps here
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
ASKER
I'm struggling to get my head around this now. Why will a new one be any better than the one I've already got? I also don't understand why this doesn't work 'out of the box' on a standard installation.
Give me sometime @ on a support call.
ASKER
no probs.
I hope there's a prize for the longest EE post - we might win it at this rate!
I hope there's a prize for the longest EE post - we might win it at this rate!
yeah man >> or agent smith is replicating.
( I am trying to make a series of agent smith humor and microsoft exchange...
That's the closest analogy I had till now between Microsoft Exchange and movies.)
( I am trying to make a series of agent smith humor and microsoft exchange...
That's the closest analogy I had till now between Microsoft Exchange and movies.)
ASKER
LOL!
I probably ought to watch the Matrix again. I can't really remember enough to understand you!
I probably ought to watch the Matrix again. I can't really remember enough to understand you!
Agent smith starts replicating in Matrix part 3.
In the third part he starts punching his hand in every one's stomach/solar plexus and converts them to Agent Smith.
Neo goes to meet the Architect and cuts a deal with him that he will stop Agent Smith from replicating.
In the end he converts the Oracle to Agent Smith..and when he tries to do that to Neo - he explodes.
This is within the matrix.
And the famous line -- I am supposed to say something at this point...like -- Everything that has a beginning has an end.
--
When I think agent smith, I think domain controllers and public folders.
I think I will send an email to the XKCD guys to come up with something and wear it as a T-Shirt :D
check my profile @ XKCD
https://www.experts-exchange.com/M_5929264.html
I am doing this while on a support call. Matrix must be awesome...
I cant remember how many times i have watched it....
In the third part he starts punching his hand in every one's stomach/solar plexus and converts them to Agent Smith.
Neo goes to meet the Architect and cuts a deal with him that he will stop Agent Smith from replicating.
In the end he converts the Oracle to Agent Smith..and when he tries to do that to Neo - he explodes.
This is within the matrix.
And the famous line -- I am supposed to say something at this point...like -- Everything that has a beginning has an end.
--
When I think agent smith, I think domain controllers and public folders.
I think I will send an email to the XKCD guys to come up with something and wear it as a T-Shirt :D
check my profile @ XKCD
https://www.experts-exchange.com/M_5929264.html
I am doing this while on a support call. Matrix must be awesome...
I cant remember how many times i have watched it....
ASKER
Is this autodiscover test any use?
companyname-exchange-test.gif
companyname-exchange-test.gif
ASKER
3908 737007691 08/12/10 15:51:15 Autodiscover to https://companyname.com/autodiscover/autodiscover.xml starting
3908 737008143 08/12/10 15:51:15 Autodiscover to https://companyname.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
3908 737008143 08/12/10 15:51:15 Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml starting
3908 737010405 08/12/10 15:51:17 Autodiscover XML Received
I notice that it's trying to resolve https://companyname.com/autodiscover/autodiscover.xml
I don't have an internal DNS resolution for this. Do I need to cater for companyname.com (with no subdomain)? If so, how to I setup a slit DNS for this?
3908 737008143 08/12/10 15:51:15 Autodiscover to https://companyname.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
3908 737008143 08/12/10 15:51:15 Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml starting
3908 737010405 08/12/10 15:51:17 Autodiscover XML Received
I notice that it's trying to resolve https://companyname.com/autodiscover/autodiscover.xml
I don't have an internal DNS resolution for this. Do I need to cater for companyname.com (with no subdomain)? If so, how to I setup a slit DNS for this?
autodiscover has to link to
autodiscover.domain.local -- not to autodiscover.company name
it has to resolve internally.
I am going to be stepping out for about 1.5 hrs. will log back and check it then.
autodiscover.domain.local -- not to autodiscover.company name
it has to resolve internally.
I am going to be stepping out for about 1.5 hrs. will log back and check it then.
ASKER
ok - but I've used split DNS to make autodiscover.companyname.c om resolve to autodiscover.companyname.l ocal
I may have made some progress though! .....Woohoo!
I've also added a split DNS for companyname.com to the server's NETBIOS name. This seems to have prevented the certificate error from appearing when I launch Outlook.
However, autoconfiguration test seems to fail still.
I may have made some progress though! .....Woohoo!
I've also added a split DNS for companyname.com to the server's NETBIOS name. This seems to have prevented the certificate error from appearing when I launch Outlook.
However, autoconfiguration test seems to fail still.
Check the exchange proxy settings and where it is connecting to.
also run this
outlook /rpcdiag - that will give you the exchange server connection status.
also run this
outlook /rpcdiag - that will give you the exchange server connection status.
ASKER
Getting closer.... I got the autotest to work just now!
Out Of Office assistant still failing though :(
Out Of Office assistant still failing though :(
ASKER
Within the rpcdiag, the local tab displays the following:
Synchronizing Hierarchy
Offline address book Connecting to Microsoft Exchange
Been sat like that for a couple of minutes - is that normal?
Synchronizing Hierarchy
Offline address book Connecting to Microsoft Exchange
Been sat like that for a couple of minutes - is that normal?
if it is sitting there for couple of minutes - that means its not connecting.
I will send you some more cmdlets to check your SCP - service connection points.
thanks
I will send you some more cmdlets to check your SCP - service connection points.
thanks
ASKER
I've read somewhere that this might be because this workstation isn't joined to the domain. Aparently these symptoms correspond to this theory. As it happens, the only workstation I have easy access to is a vista home premium system which makes it impossible to join the domain.
Have you heard of this being an issue?
Have you heard of this being an issue?
AAAHHH.
I didnt know that @ this workstation isnt joined to this domain.
Can you test this from a workstation which is joined to the domain...
VISTA home premium cannot join to a domain. You need vista professional.
Is there any other way we can test this.
It's better to test our existing setup than trying to modify it for a workstation which is not joined to the domain.
I didnt know that @ this workstation isnt joined to this domain.
Can you test this from a workstation which is joined to the domain...
VISTA home premium cannot join to a domain. You need vista professional.
Is there any other way we can test this.
It's better to test our existing setup than trying to modify it for a workstation which is not joined to the domain.
ASKER
I'm doing this remotely. This is the only desktop pc that's switched on. All the others are laptops which are mobile. There's one more desktop but it's switch off. Due to holidays, there's hardly ever anyone in the office to turn the other one on.
LOL! You just couldn't make it up, could you!
Let me see if I can create a VPN and find a spare machine to join to the domain remotely.
.... I may be some time!
LOL! You just couldn't make it up, could you!
Let me see if I can create a VPN and find a spare machine to join to the domain remotely.
.... I may be some time!
Did you try Wake on Lan for desktops which are switched off.
a) Login to their firewall, see if you can get a MAC address from the DHCP list there
b) I hope you have the IP address
Login to the domain
start > run > cmd
type
arp -a
That gives you the ARP cache of MAC address and IP
b) Then use this tool to Wake up
http://www.depicus.com/wake-on-lan/wake-on-lan-gui.aspx
This tool has rescued me so many times.
a) Login to their firewall, see if you can get a MAC address from the DHCP list there
b) I hope you have the IP address
Login to the domain
start > run > cmd
type
arp -a
That gives you the ARP cache of MAC address and IP
b) Then use this tool to Wake up
http://www.depicus.com/wake-on-lan/wake-on-lan-gui.aspx
This tool has rescued me so many times.
ASKER
No luck I'm afraid. Must be fast asleep - I think I can hear it snoring from here!
ok - forgot to tell you, the workstations have to have WOL configured on their ethernet cards :-s
When arp-a doesnt work, I usually make a phone call to the location.
(but I forget they are out on vacation....)
Lets wait for someone to switch on the power button.
When arp-a doesnt work, I usually make a phone call to the location.
(but I forget they are out on vacation....)
Lets wait for someone to switch on the power button.
ASKER
actually, I've just found the MD's laptop which is Vista Business. Just logging in via remote desktop...
ASKER
ok - mentally exhausted but I think we're onto something here...
This laptop unfortunately has Outlook 2010 on it which isnt' a fair comparison since the desktop I was using had Outlook 2007. However, I've set this laptop up for the user I was testing with and it appears that the Out of office replies function loads now.
Well, this needs some more testing I think. Thanks for your help so far but it's nearly 7pm here and I need to get this kids in the bath and get some dinner.
I'll pick this up again tomorrow morning while you're still fast asleep in bed ;)
This laptop unfortunately has Outlook 2010 on it which isnt' a fair comparison since the desktop I was using had Outlook 2007. However, I've set this laptop up for the user I was testing with and it appears that the Out of office replies function loads now.
Well, this needs some more testing I think. Thanks for your help so far but it's nearly 7pm here and I need to get this kids in the bath and get some dinner.
I'll pick this up again tomorrow morning while you're still fast asleep in bed ;)
sure dude.
Take care and catch some rest. You've been at it the whole day.
PS: Be sure to turn off OOF after you test it otherwise any emails to MD's email address will get a OOF.
Take care and catch some rest. You've been at it the whole day.
PS: Be sure to turn off OOF after you test it otherwise any emails to MD's email address will get a OOF.
ASKER
Yeah, thanks for that. I wasn't using his profile to test it though.
ASKER
Today is Friday the 13th .... and don't I know it!
The laptop that worked last night now doesn't work anymore. It seems that the autodiscover security certificate warning issue has returned. I also notice that the machine resolves autodiscover.companyname.c om to the external IP address.
I've flushed the DNS on the workstation with no effect. Ping the address from the server and it resolves correctly. I'm thinking that the autodiscover situation is a DNS issue at the moment.
gggrrrrrrrrrrr!!!
The laptop that worked last night now doesn't work anymore. It seems that the autodiscover security certificate warning issue has returned. I also notice that the machine resolves autodiscover.companyname.c
I've flushed the DNS on the workstation with no effect. Ping the address from the server and it resolves correctly. I'm thinking that the autodiscover situation is a DNS issue at the moment.
gggrrrrrrrrrrr!!!
I thought you created split DNS ?
ASKER
Good morning!
Yes, I have done. This is really wierd.
The MD's laptop that worked fine last night, now doesn't work anymore. Pinging autodiscover.companyname.c om from the laptop now resolves to the WAN IP, not the LAN IP of the server.
Pinging the same from the server itself returns the correct LAN address.
Yes, I have done. This is really wierd.
The MD's laptop that worked fine last night, now doesn't work anymore. Pinging autodiscover.companyname.c
Pinging the same from the server itself returns the correct LAN address.
morning dude.
ipconfig /flushdns
ipconfig /release
ipconfig /renew ALL
form workstation ?
ipconfig /flushdns
ipconfig /release
ipconfig /renew ALL
form workstation ?
ASKER
LOL - yeah, nice one - If i release then I'll loose the remote connection! ;o)
Would a batch file work?
I have managed to get onto the other desktop PC. It's an XP Pro box which is joined to the domain.
A few points to note. Some may be relevant, some may not....
1. I raised the bar on the spam filtering yesterday and added about 750 excluded addresses & domains. Started to work ok but today I'm told they are still getting loads of spam. I've not investigated this at all yet.
2. Everyone seems to be constantly asked for their Outlook credentials
3. An iphone user who is away on vacation is saying that he can no longer send emails (I'm assuming it's stopped synching)
4. This XP workstation resolves to the LAN IP of the server for autodiscover.companyname.c om but then still produces the autodiscover security certificate error that I thought I'd corrected yesterday.
Would a batch file work?
I have managed to get onto the other desktop PC. It's an XP Pro box which is joined to the domain.
A few points to note. Some may be relevant, some may not....
1. I raised the bar on the spam filtering yesterday and added about 750 excluded addresses & domains. Started to work ok but today I'm told they are still getting loads of spam. I've not investigated this at all yet.
2. Everyone seems to be constantly asked for their Outlook credentials
3. An iphone user who is away on vacation is saying that he can no longer send emails (I'm assuming it's stopped synching)
4. This XP workstation resolves to the LAN IP of the server for autodiscover.companyname.c
Forgot @ remotely connected.batch file maybe.
I usually install logmein on the server / workstation before I attempt this.
@Credentials will be sending you something.
Other issues @ I ask myself how many of these can be solved by a server restart.
What do you think
I usually install logmein on the server / workstation before I attempt this.
@Credentials will be sending you something.
Other issues @ I ask myself how many of these can be solved by a server restart.
What do you think
ASKER
I had start to wonder about a server restart myself.
However, I've just noticed something.
office.companyname.com has it's own DNSforwarding zone in the server's DNS manager. It has an entry in there which appears to redirect it's root to the LAN IP of the terminal server, notthe SBS server.
office.companyname.com is the address used in the 'connect to the internet' wizard - does this automatically create ths zone? I'm wonderning about deleting it as this is obviously going to upset the local config for DNS clients.
However, I've just noticed something.
office.companyname.com has it's own DNSforwarding zone in the server's DNS manager. It has an entry in there which appears to redirect it's root to the LAN IP of the terminal server, notthe SBS server.
office.companyname.com is the address used in the 'connect to the internet' wizard - does this automatically create ths zone? I'm wonderning about deleting it as this is obviously going to upset the local config for DNS clients.
lets just try to see where is autodiscover.companyname.c om going.
whether it's picking it up from the split DNS or resolving externally.
at this point, following will be helpful
a) ipconfig /all
Check which DNS server is doing DNS resolution for the workstation in question (which is resolving autodiscover externally)
b) start > run > cmd
nslookup
set type=all
set q=mx
companyname.com
>> see if it's external / internal MX
c) From Exch shell
Get-OutlookProvider -Identity EXCH | Format-List
whether it's picking it up from the split DNS or resolving externally.
at this point, following will be helpful
a) ipconfig /all
Check which DNS server is doing DNS resolution for the workstation in question (which is resolving autodiscover externally)
b) start > run > cmd
nslookup
set type=all
set q=mx
companyname.com
>> see if it's external / internal MX
c) From Exch shell
Get-OutlookProvider -Identity EXCH | Format-List
ASKER
The dodgy workstation is using the SBS server for DNS resolution.
Your NSlookup results are as follows:
Default Server: resolver2.opendns.com
Address: 208.67.220.220
> set type=0
unknown query type: 0
> set type=all
> set q=mx
> companyname.com
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
companyname.com MX preference = 10, mail exchanger = office.companyname.com
companyname.com MX preference = 20, mail exchanger = mail.companyname.com
Your NSlookup results are as follows:
Default Server: resolver2.opendns.com
Address: 208.67.220.220
> set type=0
unknown query type: 0
> set type=all
> set q=mx
> companyname.com
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
companyname.com MX preference = 10, mail exchanger = office.companyname.com
companyname.com MX preference = 20, mail exchanger = mail.companyname.com
on your internal DNS where is this DNS resolving. didnt they give internal or external IP's ?
companyname.com MX preference = 10, mail exchanger = office.companyname.com
companyname.com MX preference = 20, mail exchanger = mail.companyname.com
Also I need to see if split DNS actually works on sbs. I dont remember..but I want to check that.
companyname.com MX preference = 10, mail exchanger = office.companyname.com
companyname.com MX preference = 20, mail exchanger = mail.companyname.com
Also I need to see if split DNS actually works on sbs. I dont remember..but I want to check that.
ASKER
I ran through your nslookup commands and copied/pasted the results. I just replaced the domain names as usual but there were no IP addresses there other than the openDNS one that you can see.
ASKER
I notice that when a user opens Outlook, they get prompted for their credentials against various subdomains in the following sequence:
servername.companyname.com (1 time)
office.companyname.com
office.companyname.com
office.companyname.com
office.companyname.com (4 times)
.companyname.com
.companyname.com
.companyname.com (3 times)
<Certificate error appears> (1 time)
autodiscover.companyname.c om
autodiscover.companyname.c om
autodiscover.companyname.c om (3 times)
Regardless of whether you type the right password or not, the process follows this pattern. Then it disappears for a bit and comes back a minute or two later.
I've tried changing the IP address of office.companyname.com in DNS manager although it doesn't seem to have made any difference. I'm still getting the error message saying that the name on the security certificate is invalid or does not match the name on the site.
servername.companyname.com
office.companyname.com
office.companyname.com
office.companyname.com
office.companyname.com (4 times)
.companyname.com
.companyname.com
.companyname.com (3 times)
<Certificate error appears> (1 time)
autodiscover.companyname.c
autodiscover.companyname.c
autodiscover.companyname.c
Regardless of whether you type the right password or not, the process follows this pattern. Then it disappears for a bit and comes back a minute or two later.
I've tried changing the IP address of office.companyname.com in DNS manager although it doesn't seem to have made any difference. I'm still getting the error message saying that the name on the security certificate is invalid or does not match the name on the site.
ASKER
I'm considering installing Exchange SP2 - would this be a good idea at this point?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After over 100 posts, I think we're there!
After making sure that the DNS resolution was correct externally and internally it seems the vast majority of other problems was due to a lack of Windows updates on the server.
After updating the server's normal Windows updates I found that the Home Premium machine worked just as well as a domain PC.
I did NOT need to use any service packs for Exchange to make this happen.
The only outstanding issue now is that external out of office replies don't work. However, the server currently sends email out through the ISP's mail server via a smarthost configuration. If this is switched to DNS, then the out of office works ok. I believe this is due to the ISP's mail server blocking the out of office replies since they look like spam.
Unfortuantely, leaving the system configured to send out via DNS means that genuine emails are being bounced as spam. I'm currently working on this and I'm assuming that nobody has configured a reverse DNS entry at the ISP for mail.companyname.com
Sunnyc7> I'm soooo grateful you've stuck with me on this issue. There were times that I thought I might have ended up needing to reformat the server. I've had a very depressing few days working on this issue but I've learned a lot.
Many thanks. The points are yours and are very well deserved. If I could have awarded more points then I would have gladly done so!
After making sure that the DNS resolution was correct externally and internally it seems the vast majority of other problems was due to a lack of Windows updates on the server.
After updating the server's normal Windows updates I found that the Home Premium machine worked just as well as a domain PC.
I did NOT need to use any service packs for Exchange to make this happen.
The only outstanding issue now is that external out of office replies don't work. However, the server currently sends email out through the ISP's mail server via a smarthost configuration. If this is switched to DNS, then the out of office works ok. I believe this is due to the ISP's mail server blocking the out of office replies since they look like spam.
Unfortuantely, leaving the system configured to send out via DNS means that genuine emails are being bounced as spam. I'm currently working on this and I'm assuming that nobody has configured a reverse DNS entry at the ISP for mail.companyname.com
Sunnyc7> I'm soooo grateful you've stuck with me on this issue. There were times that I thought I might have ended up needing to reformat the server. I've had a very depressing few days working on this issue but I've learned a lot.
Many thanks. The points are yours and are very well deserved. If I could have awarded more points then I would have gladly done so!
ASKER
Just Windows updates - no service packs were needed in the end.
Dude..
Was out of EE for the weekend and just logging back and going through all the messages.
i am glad it worked out.
PS: didnt know server didnt have updates.... :(
maybe I should create a checklist of some sort before we delve deep into troubleshooting.
thanks for the points :)
Was out of EE for the weekend and just logging back and going through all the messages.
i am glad it worked out.
PS: didnt know server didnt have updates.... :(
maybe I should create a checklist of some sort before we delve deep into troubleshooting.
thanks for the points :)
ASKER
To be honest, I always tell my customers to do their windows updates before we delve too deep into odd situations. I really should have had a spoon full of my own medicine!
Alls well that ends well :)
ASKER
Thanks again!
:)
:)
Follow this link to configure ;
http://technet.microsoft.com/en-us/library/bb201695.aspx