Solved

Exchange 2010 / SBS 2011 DNS problem? Certificate error in outlook

Posted on 2014-03-21
7
2,039 Views
Last Modified: 2014-03-25
Everything was working fine with outlook on the users PCs on the LAN connecting to the SBS 2011 box.

Then we made the following changes and at the end, users are now getting security alerts that the name on the security certificate is invalid or does not match the name of the site.

Not sure what to do.

1) The system was set up to send mail out from server via DNS on a static IP from a T1 provider. Incoming mail was picked up via POP3 connector from a spam filtering service

2) We got a new IP address from verizon a week ago. It turned out to be on a microsoft RBL and Microsoft hasn't responded to our emails asking to be delisted.

3) So we set up exchange to send out via the spam filterers smart host and changed exchange to receive mail via SMTP, not the POP3 connector.

And now when opening outlook on any of the machines on the lan, we get certificate errors about:

remote.domain.com
and sometimes autodiscovery.domain.com

from any of these machines, if we ping those addresses, we get the server's IP.

if we look at the certificate, it says it was issued to exchange.domain.com (also, pinging from inside the LAN, it gets the server IP address).

looking at the detail, the Subject is CN=exchange.domain.com
under subject alternate name,
DNS name = domain.com
dns name= exchange.domain.com
dns name = server.domain.local

the last 2 resolve to the server IP

in outlook, the settings for the account on each users machine is the same, except for their user name:

the server is listed as server.domain.local
under security tab, encrypt between outlok and server is checked
and login network security is set to negotiate

under connection, the outlook anywhere box is checked and the settings are:
connection settings: remote.domain.com

only connect to proxy servers taht have the principal name as is checked and the box has:
msstd:remote.domain.com

and authentication is set to basic.

so again, the things that changed are:
Public IP changed (and the public DNS was changed to reflect that)
Moved away from POP3 to SMTP receive
Moved from DNS sending to smart host sending.  

all that was on the server.  so what's broken between server and desktops that outlook is complaining : ) ??

I am thining - we did have problems with the smtp receive and I deleted / recreated 2 receive connectors.....   it asks what it's looking for in the helo field.

hmmmm   could that be it?  what should I use then?  I put in exchange.domain.com for both
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 39946326
This can happen if you don't stick to the SBS wizards and don't set up exchange properly. There are a few moving parts (all of which the SBS wizards automate.)

Exchange autodiscover URLs *must* match one of the subject names on the certificate. The SBS internet address wizard sets exchange URLs properly when it is run, so this default is remote.domain.com and the SBS certificate wizard makes sure that name is in the SSL certificate.

DNS must resolve *that* name to the server. The SBS internet address wizard configures split DNS by default.

Note that these can also be configured manually, but they still mist all be configured to match to avoid prompts. Based on your description, there is a mismatch where one or more items are configured for exchange, domain.com while others are configured for remote, domain.com and that is the issue.

The receive connectors do not play a part here but if THEY don't match, other issues could also still arise.

The easiest fix would be to rerun the wizards (after making a backup) and sticking with a consistent name. But sometimes too many changes from defaults will cause the wizard to fail, in which case you will need to manually inspect and configure the above settings.
0
 
LVL 6

Assisted Solution

by:rick81
rick81 earned 375 total points
ID: 39948242
re-run some of the wizards.  connect to the internet wizard and setup your internet address.  the later should fix the issue with outlook.  

as Cliff mentioned check your ssl cert matches your remote name.  if not you can change the remote name when you go through settings up the internet address.  clients should auto update these changes.  click yes to any cert prompts, close outlook and re-open, reboot computer if necessary.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39952198
Not sure if I am breaking things worse...  no mail is coming in

There are supposed to be 2 receive connectors in the EMC, right? one for internal and one for external?

I deleted both and ran the setup your internet address wizard thinking it would make the 2 of them.  it failed saying it can't configure exchange for your domain.  it says t run fix my network.  

that also failed.

So I manually created 2 connectors. still no mail coming in.  I ran set up your internet address and it failed again.  do I need to restart any exchange services to get it to start using the new connectors? What services?

ran fix my network wizard and it says 'exchange smtp connectors are invalid - exchange is not configure to communicate over your local network.

let it try to fix the connectors and it says they are fixed..  when I send an email from outside, it goes to their spam filter, but bounces back

recipient was rejected. STARTTLS proto=TLSv1; cipher=DHE-RSA-AES256-SHA.
Remote host said: 550 (result of an earlier callout reused).

know what that means?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 6

Assisted Solution

by:rick81
rick81 earned 375 total points
ID: 39952311
first off double check those receive connectors are ok.  the two links below should help.

http://blogs.technet.com/b/sbs/archive/2008/09/29/fix-my-network-wizard-fncw-fails-to-fix-the-exchange-smtp-connectors-in-sbs-2008.aspx

http://blog.korteksolutions.com/fix-my-network-wizard-fncw-fails-to-fix-the-exchange-smtp-connectors-in-sbs-2008/


looking at an sbs2008 machine mine has 3 connectors

1.  Default - servername
2.  windows SBS Fax Sharepoint Receive - server name (this is probably due to premium sbs add on)
3.  Windows SBS Internet Receive - server name
0
 
LVL 6

Accepted Solution

by:
rick81 earned 375 total points
ID: 39952313
re-create the connectors again,  make sure all exchange services are running.  then send some emails in and out.
0
 
LVL 6

Expert Comment

by:rick81
ID: 39952898
Problem solved? What was the specific fix?
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39953196
trying lots of things mentioned above - try different urls, run wizards... repeatedly, reboot, repeat...  so not sure if restarting 1 or more of the exchange services after each change would have made a difference, but did a bunch of things, then rebooted, so who knows what was the solution : (

I can see how moving mail to the cloud and letting others worry about the nuances of the server is popular.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question