SBS2008, Autodiscover & Out of Office Replies

Before I make a complete mess of an SBS server, I'd like to check with the experts!

I have a client site where there is an Autodiscover security certificate error every time they launch Outlook. I've overlooked this as it's never really caused an issue before.

However, a user now wants to configure an out of office reply and the system says she can't because she's not connected to the server. The server status at the bottom of outlook says she's connected and all other mail functions appear normal.

After a bit of Googling, it appears that the Autodiscover issue is preventing the out of office assistant from starting. However, it should be possible to configure the out of office reply from OWA.  I've tried this and although it lets me configure it, the replies don't appear to be working. This may or may not be me doing it wrong but may also be connected, too.

The certificate error on the Autodiscover side of things relates to the certificate name not being the same as the address of the server. However, I'm not sure if this is actually the true.

My question is this - I've seen references to entering commands into the Exchange console to correct the certificate issue but I'm nervous about doing anything here since SBS systems prefer to use wizards.

Can anyone advise the best way to correct this on a Small Business Server 2008 please.
LVL 1
edz_pgtAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Coast-ITCommented:
Agreed, SBS does like wizards, but there is no wizard to do what you need to do, there is no problem touching the Exchange shell to achieve what you need.

Follow this link to configure ;

http://technet.microsoft.com/en-us/library/bb201695.aspx
edz_pgtAuthor Commented:
Wow! - thanks for the quick responses. I obviously havn't had time to read the articles yet but wanted to ask your advice while you're still online.
Is it possible to fix this without re-issuing a new security certificate? This would be a real pain in the you-know-what!
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

edz_pgtAuthor Commented:
ok - looking at the articles, it seems a bit complex and I need some clarification please. These issues may be in areas that you've spend considerable time with but I'm a bit fresh to the whole thing.
If we were to say that the certificate address is https://office.domain.com then what exactly should I be doing, (and where) please.
edz_pgtAuthor Commented:
I should also add that this particular user is internal. Therefore, this might have an impact on the certificate addressing.
sunnyc7Commented:
Please run this on exch shell and copy paste here.

Get-WebServicesVirtualDirectory | fl

Also - you need a correctly configured UCC/SAN issued to the following domains for your Exchange / iPhones / Windows phones / autodiscover and OOF to work properly.

UCC/SAN issued to
mail.domain.com (external FQDN)
autodiscover.domain.com (external)
mail.domain.local (internal FQDN)
mail (SERVERNAME)

thanks
edz_pgtAuthor Commented:
Somthing else that springs to mind is that this customer (as with ourselves and all of our customers) use the self-signed certificate.
Autodiscover isn't really something we want to use - ie it's not important that it works as far as I can tell. Just as long as it doesn't stop us doing other things.
I've substituted the customer's server name with 'servername' and their internal and external domains with 'customername' (although I've left the TLD in tact).
 
InternalNLBBypassUrl          : https://servername.customerdomain.local/EWS/Exch
                                ange.asmx
Name                          : EWS (SBS Web Applications)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, Basic}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, Basic}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://servername.customername.local/W3SVC/3/RO
                                OT/EWS
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\exchweb\EWS
Server                        : servername
InternalUrl                   : https://office.customername.com/EWS/Exchange.a
                                smx
ExternalUrl                   : https://office.customername.com/EWS/Exchange.a
                                smx
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=EWS (SBS Web Applications),CN=HTTP,CN=Protoc
                                ols,CN=servername,CN=Servers,CN=Exchange Admini
                                strative Group (FYDIBOHF23SPDLT),CN=Administrat
                                ive Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=customername,DC=local
Identity                      : servername\EWS (SBS Web Applications)
Guid                          : a69fbf2b-02b1-499a-a87d-a6404ffe89f7
ObjectCategory                : customername.local/Configuration/Schema/ms-Exc
                                h-Web-Services-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchWebServices
                                VirtualDirectory}
WhenChanged                   : 20/01/2010 16:36:36
WhenCreated                   : 19/01/2010 17:42:07
OriginatingServer             : servername.customername.local
IsValid                       : True
sunnyc7Commented:
InternalUrl                   : https://office.customername.com/EWS/Exchange.a
                               smx
ExternalUrl                   : https://office.customername.com/EWS/Exchange.a
                               smx

--
that is wrong.

For internal URL it should be directed to - servername.customername.local - Internal FQDN
for external URL it should be directed to - mail.domain.com > external

- run this from exchange shell

Get-WebServicesVirtualDirectory | Set-WebservicesVirtualDirectory -internalurl https://servername.customername.local/EWS/Exchange.asmx -BasicAuthentication:$True

Restart this service after that.
start> run > services.msc
MSExchangeMailboxAssistants

See if that works, otherwise for testing you can also run this and check if it works.

--
Set-SenderFilterConfig -Enabled $false
edz_pgtAuthor Commented:
Thanks.
I've done as you say (obviously I amended the server and domain details first) but this doesn't appear to have made any difference.
I'm not sure what to expect, but when I ran the Set-SenderFilteringConfig command, I didn't get any response. It just accepted the command and returned me to the command prompt.
I don't know if this is relevant but when launchin Outlook, the client gets the Autodiscover certificate error. This states that it was issued by Plesk. Can't imagine why that would be. However, if the client goes to https://servername/owa and clicks the certificate, then the correct details are displayed (ie the https:office. ... etc.)
 
BusbarSolutions ArchitectCommented:
did you setup autodiscover as well, you need it to work internally correctly as well.
sunnyc7Commented:
good point by busbar.

can you run this

get-autodiscovervirtualdirectory | fl
and copy paste the results here.
edz_pgtAuthor Commented:
Thanks busbar - I hadn't done that. I have worked out the syntax and set this correctly now although, again, it hasn't changed anything. (I restarted the mailbox assistants service again, too).
Just having a 'homer moment' though - autodiscover.companyname.com doesn't exist as an A record on teh DNS of the external domain. I'm guessing this might be an issue?
BusbarSolutions ArchitectCommented:
yes you are correct, you need it also in the internal DNS if you don't use internal name in the internal SCP
sunnyc7Commented:
We are dealing with internal Autodiscover at this point.
External autodiscover is required for RPC/HTTPS.

Please run this
get-autodiscovervirtualdirectory | fl
edz_pgtAuthor Commented:
busbar, could you expand on that internal domain comment please? ...and what does SCP stand for?
BusbarSolutions ArchitectCommented:
SCP service connection point
externally outlook clients uses autodiscover.domain.com while internally it queries the active directory using the SCP to connect to specific URL this is set to the first CAS internal FQDN by default and you can change it as I specified in my article.
edz_pgtAuthor Commented:
ok - sorry but I'm lost now. I can't see anything obvious in your article and I'm not sure I can work this out.
I'm guessing I need to be adding an A record to the DNS in the SBS server that points autodiscover.companyname.com to the internal IP of the server. Am I right? If so, I'm a bit rusty on this so I'd appreciate someone reminding me how to do that.
sunnyc7Commented:
Can you run this from exch shell and post the results here.
get-autodiscovervirtualdirectory | fl

thanks
edz_pgtAuthor Commented:

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://servername.customername.local/W3SVC/3/RO
                                OT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : servername
InternalUrl                   : https://servername.customername.local/EWS/Exch
                                ange.asmx
ExternalUrl                   : https://office.customername.com/Autodiscover/A
                                utodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=servername,CN=Servers,CN=Exchan
                                ge Administrative Group (FYDIBOHF23SPDLT),CN=Ad
                                ministrative Groups,CN=First Organization,CN=Mi
                                crosoft Exchange,CN=Services,CN=Configuration,D
                                C=customername,DC=local
Identity                      : servername\Autodiscover (SBS Web Applications)
Guid                          : 74b93ebf-2690-434b-b0f4-08f5ed6a5b50
ObjectCategory                : customername.local/Configuration/Schema/ms-Exc
                                h-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 11/08/2010 12:35:24
WhenCreated                   : 19/01/2010 17:42:29
OriginatingServer             : servername.customername.local
IsValid                       : True
sunnyc7Commented:
this is your problem >>
InternalUrl                   : https://servername.customername.local/EWS/Exchange.asmx

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -InternalUrl "https://servername.customername.local/Autodiscover/Autodiscover.xml"
BusbarSolutions ArchitectCommented:
as I said you need to change the internal URL from the server FQDN to the office.customernaname.com
use:
Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceInternalUri: https://office.customername.com/Autodiscover/Autodiscover.xm
BusbarSolutions ArchitectCommented:
Hi Sunny,
updating the internal SCP is done using the set-clientaccessserver not set-autodiscovervirtualdirectory
sunnyc7Commented:
Could it be that its modifying the same object ?
I checked the technet article on modifying autodiscover SCP's. Your syntax is correct.

I have used the above command successfully.
edz_pgtAuthor Commented:
I'm still no further on this I'm afraid. I've upated the autodiscover internal URL though:
Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://servername.companyname.local/W3SVC/3/RO
                                OT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : servername
InternalUrl                   : https://servername.companyname.local/Autodisc
                                over/Autodiscover.xml
ExternalUrl                   : https://office.companyname.com/Autodiscover/A
                                utodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=servername,CN=Servers,CN=Exchan
                                ge Administrative Group (FYDIBOHF23SPDLT),CN=Ad
                                ministrative Groups,CN=First Organization,CN=Mi
                                crosoft Exchange,CN=Services,CN=Configuration,D
                                C=companyname,DC=local
Identity                      : servername\Autodiscover (SBS Web Applications)
Guid                          : 74b93ebf-2690-434b-b0f4-08f5ed6a5b50
ObjectCategory                : companyname.local/Configuration/Schema/ms-Exc
                                h-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 11/08/2010 13:49:26
WhenCreated                   : 19/01/2010 17:42:29
OriginatingServer             : servername.companyname.local
IsValid                       : True
 
sunnyc7Commented:
Did you restart this service

start> run > services.msc
MSExchangeMailboxAssistants
edz_pgtAuthor Commented:
ok - Thanks for the input so far. Just to keep you up to speed, I'm convinced that the incorrect external DNS resolution of autodiscover.companyname.com has got to be a bad thing so I'm waiting for it to propogate before I have a stab at anything else.
I'll come back once this has been resolved.
edz_pgtAuthor Commented:
Right. Now that the DNS has propogated I have a new problem.
The security alert that pops up when you launch Outlook used to be happy with items 1 and 2 but failed on the 3rd  element which is "The name on the security certificate is invalid or does not match the name of the site".
It now fails on points 1 and 3. The first one says "The security certificate was issued by a company you have not chosen to trust."
When I view the certificate I now see that it is:
Issued to: office.customername.com
Issued by: customername-SERVERNAME-CA
Valid from: 20/01/2010 to 20/01/2012
Yesterday, this certificate said it was issued by plesk.
Anyway, I've tried installing the certificate (I was logged in as the user though) and I tried instlling it automatically and also into the trusted root authority.
Help! :)
edz_pgtAuthor Commented:
I also find it constantly asks for the user's login username and password now.
edz_pgtAuthor Commented:
It's all gone very quiet :(
Can anyone else shed any light on this please?
sunnyc7Commented:
hey I was sleeping. Just woke up (I an in EST). Will check this and post back...
edz_pgtAuthor Commented:
LOL - how dare you be asleep when I start work at  GMT+1 !!
;o)
sunnyc7Commented:
;) EE is taking over my life..
sunnyc7Commented:
For this error:
The security certificate was issued by a company you have not chosen to trust.

http://support.microsoft.com/kb/297681

Go here
c:\windows\system32\certsrv\Certenroll
Double click on the cert which is there and see who was it issued to.
-
If you have the correct cert, you can export and import it back.
here's a tool which helps you do this.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html
edz_pgtAuthor Commented:
I'm getting a little further (I think)...
I've managed to resolve the error 1 "The security certificate was issued by a company you have not chosen to trust." by importing the certificate directly from a CER file rather than from the certificate popup itself.
I've also got the DNS working better.
office.customername.com now resolves INTERNALLY to the server's internal IP
autodiscover.customername.com now resolves INTERNALLY to the server's internal IP
office.customername.com now resolves EXTERNALLY to the office's external IP
autodiscover.customername.com now resolves EXTERNALLY to the office's external IP
Still struggling with error 3 on the certificate popup though:
"The name on the security certificate does not match..."
 
sunnyc7Commented:
Are you getting that from OWA or outlook ?
edz_pgtAuthor Commented:
Outlook
sunnyc7Commented:
Your cert has to have these 4 names

mail.domain.com (external FQDN)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal FQDN)
mail (Internal Servername)
edz_pgtAuthor Commented:
Don't forget that this is a self-signed cert - is this possible to do?
I was looking at this page here:
http://support.microsoft.com/kb/940726 
I'm thinking that now that my internal clients resolve https://autodiscover.companyname.com to the server's internal IP, I should possibly do as the KB says and set the internaluri to be the external address.
What do you think?
sunnyc7Commented:
Check from this path
c:\windows\system32\certsrv\Certenroll

If it is issued to these.
mail.domain.local (internal FQDN)
mail (Internal Servername)
--
From outlook
Go here
Tools > Account Settings
Click on the E-mail tab
click Repair.
sunnyc7Commented:
From that link above

What is your internal URL ? > the FQDN of the CAS server
or the First MX record - mail.domain.com ?

if you are using autodiscover.companyname.com > did you create a DNS entry for that to point to the CAS server ?

Try outlook refresh steps above.
edz_pgtAuthor Commented:
The cert is issued to:
customername-SERVERNAME-CA
sunnyc7Commented:
Any luck ?
sunnyc7Commented:
That is probably the self signed. Where is your plesk cert then ?
edz_pgtAuthor Commented:
sorry - on phone - 2mins
 
sunnyc7Commented:
Either you can run a get-exchange certficate | fl
Or use the u-btech tool from the link above to manage it

sunnyc7Commented:
Ok. I will go take a shower and get some coffee
edz_pgtAuthor Commented:
The CAS server internal URI is https://office.customername.com/Autodiscover/Autodiscover.xml
 
Yes, autodiscover.companyname.com internally points to the server's internal IP and externally points to the WAN IP.
I'm getting access denied when trying to get the certificate from the exchange console and I can't see the u-btec thing you mentioned.
Was the coffee good?
 
edz_pgtAuthor Commented:
Certificate:
 

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.companyname.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=companyname-SERVERNAME-CA
NotAfter           : 28/04/2011 11:30:28
NotBefore          : 28/04/2010 11:30:28
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 611C9C9C000000000006
Services           : IMAP, POP
Status             : Valid
Subject            : CN=SERVERNAME.companyname.local
Thumbprint         : 5C270961497DEA0FD9B44E458198D2F5B89690F9
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {office.companyname.com, companyname.com, SERVERNAME.b
                     raemoregroup.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=companyname-SERVERNAME-CA
NotAfter           : 20/01/2012 16:26:16
NotBefore          : 20/01/2010 16:26:16
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61FD8FD5000000000005
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=office.companyname.com
Thumbprint         : D82FB69D18C62838D0F534E0AD98BAF4A7F99280
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.companyname.com, companyname.com, SERVERNAME.b
                     raemoregroup.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=companyname-SERVERNAME-CA
NotAfter           : 20/01/2012 16:18:31
NotBefore          : 20/01/2010 16:18:31
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61F67CE1000000000004
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.companyname.com
Thumbprint         : D332064DB6A4B657894E85A5001EB03D5DCF3550
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.companyname.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVERNAME.companyname.local
NotAfter           : 19/01/2013 00:00:00
NotBefore          : 20/01/2010 00:00:00
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : C74B522D8D36388841C210C141A3005F
Services           : IMAP, POP
Status             : Valid
Subject            : CN=SERVERNAME.companyname.local
Thumbprint         : C4D922B54D5801102073DB6D284303E5C7B12551
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERNAME.companyname.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=companyname-SERVERNAME-CA
NotAfter           : 19/01/2012 17:17:01
NotBefore          : 19/01/2010 17:17:01
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6105ABC8000000000002
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 1314EF6C4C9619181FF0B47C34B836BB51687E9E
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {companyname-SERVERNAME-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=companyname-SERVERNAME-CA
NotAfter           : 19/01/2015 17:25:59
NotBefore          : 19/01/2010 17:16:00
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 4391B22687797CB0412BF317BCB97E1F
Services           : None
Status             : Valid
Subject            : CN=companyname-SERVERNAME-CA
Thumbprint         : 2311E5A17ADF65D6211495FC13A07974BF4C5D08
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-SLMEVBZKJWT}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-SLMEVBZKJWT
NotAfter           : 17/01/2020 15:47:36
NotBefore          : 19/01/2010 15:47:36
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1FDA25B136928ABA4FEEA662E305CA59
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-SLMEVBZKJWT
Thumbprint         : 4570574D2E24340CAC68067FF434AD663860957C
 
sunnyc7Commented:
sunnyc7Commented:
this is the one

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                    ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {office.companyname.com, companyname.com, SERVERNAME.b
                    raemoregroup.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=companyname-SERVERNAME-CA
NotAfter           : 20/01/2012 16:26:16
NotBefore          : 20/01/2010 16:26:16
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61FD8FD5000000000005
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=office.companyname.com
Thumbprint         : D82FB69D18C62838D0F534E0AD98BAF4A7F99280
sunnyc7Commented:
Use the u-btech tool above to remove / import the cert's.
sunnyc7Commented:
yep It was good @ coffee. Starting by day - heading out to office.
edz_pgtAuthor Commented:
ok - I've managed to export the certificate using u-btech but how do I edit it and get it back in?
Will I then need to visit every device to re-install the a new certificate? (Major issue!)
sunnyc7Commented:
You can't edit it. You can import using ubtech tool too
sunnyc7Commented:
You can't edit it. You can import using ubtech tool too
edz_pgtAuthor Commented:
So... if I can't edit it, what should I be importing?
and... what effect will the import have on existing users?
sunnyc7Commented:
You get the certificate from plesk / Godaddy with these domains on it.
mail.domain.com (external FQDN)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal FQDN)
mail (Internal Servername)

you configure this at that time when you are buying the cert.

--
existing users - if they are using outlook / OWA - they will get the new certificate when they disconnect and reconnect.

i am trying to think of any other implication...will post back.
edz_pgtAuthor Commented:
so, is it not possible to run with a self-signed cert?
edz_pgtAuthor Commented:
We also have a few iPhone users who are posted across Europe. Installing the certificate originally involved setting up a temporary gmail account, emailing the cert to it, getting the user's iphone configured for that account, downloading and installing the cert and then deleting the gmail account from their phones again.
I don't really fancy going through all that again if I can help it!
sunnyc7Commented:
it is possible to run self signed
sunnyc7Commented:
iPhone will go through with self signed - but Windows Mobile phones and Droid's may not work.
edz_pgtAuthor Commented:
So, what should i be doing to correct the self-signed cert?
sunnyc7Commented:
you cannot correct self-signed, you can issue a new one

See the steps here
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
edz_pgtAuthor Commented:
I'm struggling to get my head around this now. Why will a new one be any better than the one I've already got? I also don't understand why this doesn't work 'out of the box' on a standard installation.
sunnyc7Commented:
Give me sometime @ on a support call.
edz_pgtAuthor Commented:
no probs.
I hope there's a prize for the longest EE post - we might win it at this rate!
sunnyc7Commented:
yeah man >> or agent smith is replicating.

( I am trying to make a series of agent smith humor and microsoft exchange...
That's the closest analogy I had till now between Microsoft Exchange and movies.)
edz_pgtAuthor Commented:
LOL!
I probably ought to watch the Matrix again. I can't really remember enough to understand you!
 
sunnyc7Commented:
Agent smith starts replicating in Matrix part 3.
In the third part he starts punching his hand in every one's stomach/solar plexus and converts them to Agent Smith.

Neo goes to meet the Architect and cuts a deal with him that he will stop Agent Smith from replicating.

In the end he converts the Oracle to Agent Smith..and when he tries to do that to Neo - he explodes.
This is within the matrix.

And the famous line -- I am supposed to say something at this point...like -- Everything that has a beginning has an end.

--
When I think agent smith, I think domain controllers and public folders.
I think I will send an email to the XKCD guys to come up with something and wear it as a T-Shirt :D
check my profile @ XKCD
http://www.experts-exchange.com/M_5929264.html

I am doing this while on a support call. Matrix must be awesome...
I cant remember how many times i have watched it....
edz_pgtAuthor Commented:
Is this autodiscover test any use?
companyname-exchange-test.gif
edz_pgtAuthor Commented:
3908 737007691 08/12/10 15:51:15 Autodiscover to https://companyname.com/autodiscover/autodiscover.xml starting
3908 737008143 08/12/10 15:51:15 Autodiscover to https://companyname.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
3908 737008143 08/12/10 15:51:15 Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml starting
3908 737010405 08/12/10 15:51:17 Autodiscover XML Received
I notice that it's trying to resolve https://companyname.com/autodiscover/autodiscover.xml
I don't have an internal DNS resolution for this. Do I need to cater for companyname.com (with no subdomain)? If so, how to I setup a slit DNS for this?
sunnyc7Commented:
autodiscover has to link to
autodiscover.domain.local -- not to autodiscover.company name

it has to resolve internally.

I am going to be stepping out for about 1.5 hrs. will log back and check it then.
edz_pgtAuthor Commented:
ok - but I've used split DNS to make autodiscover.companyname.com resolve to autodiscover.companyname.local

I may have made some progress though! .....Woohoo!

I've also added a split DNS for companyname.com  to the server's NETBIOS name. This seems to have prevented the certificate error from appearing when I launch Outlook.

However, autoconfiguration test seems to fail still.  
sunnyc7Commented:
Check the exchange proxy settings and where it is connecting to.

also run this

outlook /rpcdiag - that will give you the exchange server connection status.
edz_pgtAuthor Commented:
Getting closer.... I got the autotest to work just now!
Out Of Office assistant still failing though :(
 
edz_pgtAuthor Commented:
Within the rpcdiag, the local tab displays the following:
Synchronizing Hierarchy
Offline address book Connecting to Microsoft Exchange
 
Been sat like that for a couple of minutes - is that normal?
sunnyc7Commented:
if it is sitting there for couple of minutes - that means its not connecting.

I will send you some more cmdlets to check your SCP - service connection points.

thanks
edz_pgtAuthor Commented:
I've read somewhere that this might be because this workstation isn't joined to the domain. Aparently these symptoms correspond to this theory. As it happens, the only workstation I have easy access to is a vista home premium system which makes it impossible to join the domain.

Have you heard of this being an issue?
sunnyc7Commented:
AAAHHH.
I didnt know that @ this workstation isnt joined to this domain.

Can you test this from a workstation which is joined to the domain...
VISTA home premium cannot join to a domain. You need vista professional.

Is there any other way we can test this.

It's better to test our existing setup than trying to modify it for a workstation which is not joined to the domain.
edz_pgtAuthor Commented:
I'm doing this remotely. This is the only desktop pc that's switched on. All the others are laptops which are mobile. There's one more desktop but it's switch off. Due to holidays, there's hardly ever anyone in the office to turn the other one on.

LOL! You just couldn't make it up, could you!

Let me see if I can create a VPN and find a spare machine to join to the domain remotely.

.... I may be some time!
sunnyc7Commented:
Did you try Wake on Lan for desktops which are switched off.

a) Login to their firewall, see if you can get a MAC address from the DHCP list there
b) I hope you have the IP address

Login to the domain
start > run > cmd
type

arp -a
That gives you the ARP cache of MAC address and IP

b) Then use this tool to Wake up
http://www.depicus.com/wake-on-lan/wake-on-lan-gui.aspx

This tool has rescued me so many times.
edz_pgtAuthor Commented:
No luck I'm afraid. Must be fast asleep - I think I can hear it snoring from here!
sunnyc7Commented:
ok - forgot to tell you, the workstations have to have WOL configured on their ethernet cards :-s

When arp-a doesnt work, I usually make a phone call to the location.
(but I forget they are out on vacation....)

Lets wait for someone to switch on the power button.
edz_pgtAuthor Commented:
actually, I've just found the MD's laptop which is Vista Business. Just logging in via remote desktop...
edz_pgtAuthor Commented:
ok - mentally exhausted but I think we're onto something here...
This laptop unfortunately has Outlook 2010 on it which isnt' a fair comparison since the desktop I was using had Outlook 2007. However, I've set this laptop up for the user I was testing with and it appears that the Out of office replies function loads now.
Well, this needs some more testing I think. Thanks for your help so far but it's nearly 7pm here and I need to get this kids in the bath and get some dinner.
I'll pick this up again tomorrow morning while you're still fast asleep in bed ;)
sunnyc7Commented:
sure dude.
Take care and catch some rest. You've been at it the whole day.

PS: Be sure to turn off OOF after you test it otherwise any emails to MD's email address will get a OOF.
edz_pgtAuthor Commented:
Yeah, thanks for that. I wasn't using his profile to test it though.
edz_pgtAuthor Commented:
Today is Friday the 13th .... and don't I know it!
The laptop that worked last night now doesn't work anymore. It seems that the autodiscover security certificate warning issue has returned. I also notice that the machine resolves autodiscover.companyname.com to the external IP address.
I've flushed the DNS on the workstation with no effect. Ping the address from the server and it resolves correctly. I'm thinking that the autodiscover situation is a DNS issue at the moment.
gggrrrrrrrrrrr!!!
sunnyc7Commented:
I thought you created split DNS ?
edz_pgtAuthor Commented:
Good morning!
Yes, I have done. This is really wierd.
The MD's laptop that worked fine last night, now doesn't work anymore. Pinging autodiscover.companyname.com from the laptop now resolves to the WAN IP, not the LAN IP of the server.
Pinging the same from the server itself returns the correct LAN address.
sunnyc7Commented:
morning dude.

ipconfig /flushdns

ipconfig /release
ipconfig /renew ALL

form workstation ?

edz_pgtAuthor Commented:
LOL - yeah, nice one - If i release then I'll loose the remote connection! ;o)
Would a batch file work?
I have managed to get onto the other desktop PC. It's an XP Pro box which is joined to the domain.
A few points to note. Some may be relevant, some may not....
1. I raised the bar on the spam filtering yesterday and added about 750 excluded addresses & domains. Started to work ok but today I'm told they are still getting loads of spam. I've not investigated this at all yet.
2. Everyone seems to be constantly asked for their Outlook credentials
3. An iphone user who is away on vacation is saying that he can no longer send emails (I'm assuming it's stopped synching)
4. This XP workstation resolves to the LAN IP of the server for autodiscover.companyname.com but then still produces the autodiscover security certificate error that I thought I'd corrected yesterday.
 
sunnyc7Commented:
Forgot @ remotely connected.batch file maybe.
I usually install logmein on the server / workstation before I attempt this.



@Credentials will be sending you something.

Other issues @ I ask myself how many of these can be solved by a server restart.
What do you think
edz_pgtAuthor Commented:
I had start to wonder about a server restart myself.
However, I've just noticed something.
office.companyname.com has it's own DNSforwarding zone in the server's DNS manager. It has an entry in there which appears to redirect it's root to the LAN IP of the terminal server, notthe SBS server.
office.companyname.com is the address used in the 'connect to the internet' wizard - does this automatically create ths zone? I'm wonderning about deleting it as this is obviously going to upset the local config for DNS clients.
sunnyc7Commented:
lets just try to see where is autodiscover.companyname.com going.

whether it's picking it up from the split DNS or resolving externally.

at this point, following will be helpful

a) ipconfig /all
Check which DNS server is doing DNS resolution for the workstation in question (which is resolving autodiscover externally)

b) start > run > cmd
nslookup
set type=all
set q=mx
companyname.com

>> see if it's external / internal MX

c) From Exch shell
Get-OutlookProvider -Identity EXCH | Format-List
edz_pgtAuthor Commented:
The dodgy workstation is using the SBS server for DNS resolution.
Your NSlookup results are as follows:
 

Default Server:  resolver2.opendns.com
Address:  208.67.220.220
> set type=0
unknown query type: 0
> set type=all
> set q=mx
> companyname.com
Server:  resolver2.opendns.com
Address:  208.67.220.220
Non-authoritative answer:
companyname.com       MX preference = 10, mail exchanger = office.companyname.com
companyname.com       MX preference = 20, mail exchanger = mail.companyname.com
sunnyc7Commented:
on your internal DNS where is this DNS resolving. didnt they give internal or external IP's ?

companyname.com       MX preference = 10, mail exchanger = office.companyname.com
companyname.com       MX preference = 20, mail exchanger = mail.companyname.com

Also I need to see if split DNS actually works on sbs. I dont remember..but I want to check that.
edz_pgtAuthor Commented:
I ran through your nslookup commands and copied/pasted the results. I just replaced the domain names as usual but there were no IP addresses there other than the openDNS one that you can see.
edz_pgtAuthor Commented:
I notice that when a user opens Outlook, they get prompted for their credentials against various subdomains in the following sequence:
servername.companyname.com (1 time)
office.companyname.com
office.companyname.com
office.companyname.com
office.companyname.com (4 times)
.companyname.com
.companyname.com
.companyname.com (3 times)
<Certificate error appears> (1 time)
autodiscover.companyname.com
autodiscover.companyname.com
autodiscover.companyname.com (3 times)
Regardless of whether you type the right password or not, the process follows this pattern. Then it disappears for a bit and comes back a minute or two later.
I've tried changing the IP address of office.companyname.com in DNS manager although it doesn't seem to have made any difference. I'm still getting the error message saying that the name on the security certificate is invalid or does not match the name on the site.
edz_pgtAuthor Commented:
I'm considering installing Exchange SP2 - would this be a good idea at this point?
sunnyc7Commented:
You can install Exchange 2007 SP3

These are the warnings
http://www.sbsfaq.com/?p=1992
http://support.microsoft.com/kb/982423

This is a how to
http://www.sbsfaq.com/?p=2140

You still need to make this registry key switch
http://support.microsoft.com/kb/973862

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
edz_pgtAuthor Commented:
After over 100 posts, I think we're there!
After making sure that the DNS resolution was correct externally and internally it seems the vast majority of other problems was due to a lack of Windows updates on the server.
After updating the server's normal Windows updates I found that the Home Premium machine worked just as well as a domain PC.
I did NOT need to use any service packs for Exchange to make this happen.
The only outstanding issue now is that external out of office replies don't work. However, the server currently sends email out through the ISP's mail server via a smarthost configuration. If this is switched to DNS, then the out of office works ok. I believe this is due to the ISP's mail server blocking the out of office replies since they look like spam.
Unfortuantely, leaving the system configured to send out via DNS means that genuine emails are being bounced as spam. I'm currently working on this and I'm assuming that nobody has configured a reverse DNS entry at the ISP for mail.companyname.com
Sunnyc7> I'm soooo grateful you've stuck with me on this issue. There were times that I thought I might have ended up needing to reformat the server. I've had a very depressing few days working on this issue but I've learned a lot.
Many thanks. The points are yours and are very well deserved. If I could have awarded more points then I would have gladly done so!
edz_pgtAuthor Commented:
Just Windows updates - no service packs were needed in the end.
sunnyc7Commented:
Dude..

Was out of EE for the weekend and just logging back and going through all the messages.
i am glad it worked out.
PS: didnt know server didnt have updates.... :(
maybe I should create a checklist of some sort before we delve deep into troubleshooting.

thanks for the points :)
edz_pgtAuthor Commented:
To be honest, I always tell my customers to do their windows updates before we delve too deep into odd situations. I really should have had a spoon full of my own medicine!
sunnyc7Commented:
Alls well that ends well :)
edz_pgtAuthor Commented:
Thanks again!
:)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.