[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Installed new 3rd party cert Exchange 2010 outlook web App and email not working after reboot

Posted on 2010-08-25
17
Medium Priority
?
1,002 Views
Last Modified: 2012-05-10
I am running Exchange 2010 rollup 4 on Server 2008sp2

I have installed  a new 3rd party SSL cert and my users were getting the message that the names did not match. So I did this to fix:

Set-ClientAccessServer -Identity russellmail -AutodiscoverServiceInternalUri https://mail.domain.net/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “russellmail\EWS (Default Web Site)” -InternalUrl https://mail.domain.net/ews/exchange.asmx 

Set-OABVirtualDirectory -Identity “russellmail\oab (Default Web Site)” -InternalUrl https://mail.domain.net/oab

Email was working just fine as well as OWA.

We also changed ISP's, so my IP addresses changed and I made changes to DNS. After propigation all worked just fine. It is when I rebooted the server that every thing stopped working. OWA and incomming and outgoing email.

To complicate matters further, we use Microsoft forefront online protection and mail is bouncing back from their servers. (The following organization rejected your message: TX2EHSMHS044.bigfish.com; TX2EHSMHS044.bigfish.com #550 5.4.1 Relay Access Denied ##) I have a ticket open with them and they said they would get back to me when they found something.

I am not sure the OWA not working (Times out) is related to our incomming and outgoing mail not working.

I can give more info if needed.
 
Thanks
0
Comment
Question by:Rebel_Scum
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 8

Assisted Solution

by:Mkris9
Mkris9 earned 664 total points
ID: 33520920
are you able to access OWA internally ?
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 33520961
You need internal dns registries to mail.domain.net.. they need to be resolvable internal as you configured internal url pointing to those names...

mail bouncing is a different problem.. you dont have authorization on your hub transport receive connector to accept relay from the external source (microsoft forefront online)... are mail directly delivered to your internal exchange, from forefront online? if so you need to allow the ips of forenfront online to relay on your internal hub.. and also check for authentication configured on hub transport
0
 

Author Comment

by:Rebel_Scum
ID: 33520976
No, not with the internal url.
Thanks
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 28

Accepted Solution

by:
sunnyc7 earned 668 total points
ID: 33521340
a) You setup your autodiscover and SCP's to point to this
https://mail.domain.net/
Do you have an internal DNS entry for mail.domain.net > pointing to IP Address of Exchange Server.

b) Whats your internal domain name and external domain name ? Are they same / different ?

c) Go here
www.testexchangeconnectivity.com/

Test for inbound / outbound email.

After ISP change, did you change your IP address in MX records
Check yours here
www.mxtoolbox.com

did you ask your ISP to create a PTR record for your external FQDN to point to your public IP.
In your case, I think you will have to check with forefront team on that.

Please post back questions.
0
 

Author Comment

by:Rebel_Scum
ID: 33521648
I can change my own DNS. I if I need to do anything let me know.

Performing Outbound SMTP Test
 Outbound SMTP Test Failed
 Test Steps
 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

Performing Real-Time Blackhole List (RBL) Test
 Your IP address wasn't found on any of the block lists selected.
 Test Steps
 Checking Block List "SpamHaus Block List (SBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamHaus Exploits Block List (XBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamHaus Policy Block List (PBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamCop Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "NJABL.ORG Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SORBS Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "MSRBL Combined Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "UCEPROTECT Level 1 Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "AHBL Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xx.xx was not found on RBL



Performing Sender ID validation
 Sender ID validation failed
 Test Steps
 ExRCA is attempting to find the SPF record using a DNS TEXT record query.
 Found SPF Record
 Additional Details
 SPF Record found: "v=spf1 include:spf.messaging.microsoft.com ip4:xxx.xxx.xxx.xx -all"


Parsing SPF record and evaluating mechanisms and modifiers
 SPF Record evaluation resulted in a Sender ID failure.
 Additional Details
 The SPF record could not be parsed. Resulting in a PermError
0
 
LVL 15

Assisted Solution

by:Antonio Vargas
Antonio Vargas earned 668 total points
ID: 33522254
Performing Outbound SMTP Test
 Outbound SMTP Test Failed
 Test Steps
 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

you need a reverse dns configured for your mx record ip.,.. need to ask your ISP fot that..

how are the inbound tests? can you receive mail?
0
 

Author Comment

by:Rebel_Scum
ID: 33522278
I can get to OWA internally now. I added it to DNS. Mail is getting to Forefront servers, but not to mine still.

What do I need to do to fix this:(below)

 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

How do I set my internal DNS for mail.domain.com? I have and A record for my external IP.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33522301
You need to call your ISP and ask them to setup a PTR record for your IP  Address
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 33522382

 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

How do I set my internal DNS for mail.domain.com? I have and A record for my external IP

you need to ask your ISP for them to confiugure the DNS where you have your A record associated with the IP 216.248.108.33.. you need a ptr record for your external domain record

you need to allow forefront servers to relay on your receive connectors
0
 

Author Comment

by:Rebel_Scum
ID: 33522411
I ran the best practices anylizer and this was the only error I received.

Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639
0
 

Author Comment

by:Rebel_Scum
ID: 33522450
I have added all of the IP's for Microsofts servers to my receive connector. All mail had been working prior to the above events.
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 33522501
open queue viewer on exchange to see if mail is stuck in queue.. also enable verbose on the receive connector that gets mail from Internet for us to check for errors.
0
 

Author Comment

by:Rebel_Scum
ID: 33523391
OK, This is the part where everyone laughs at me. Here is hat happened. One of our external IP's was added to the firewall to point the the mail server for remote desktop. I am not sure why this would cause a problem, but it did. I figured this out when one of our blacberry users showd me the ip on his phone which was the new ip that was added. I removed the ip from the firewall and imediatelly all mail started to come in. Strange.

Well if someone wants points: What do I do with this? Is it  a problem.

I ran the best practices anylizer and this was the only error I received.

Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639

Thanks everyone for your input.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33523428
One of our external IP's was added to the firewall to point the the mail server for remote desktop.
>> This was added where in firewall ?
So your firewall had 2 public IP's


I ran the best practices anylizer and this was the only error I received.
Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639
>> You can ignore this. That's a signature error in BPA
0
 

Author Comment

by:Rebel_Scum
ID: 33523556
Yes, my firewall has more that 1 public ip, it has 3 right now. We also have a VOIP server that has an external IP and two others assigned. I can setup secondary IP addresses and do a 1to1 NAT.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33523638
Ok.
Let me know if there are any other issues, or you can close this case

Thanks
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 33523705
Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639

Thanks everyone for your input.

like sunny said you can ignore that error..
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month18 days, 12 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question