Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange 2010 / SBS 2011 DNS problem? Certificate error in outlook

Posted on 2014-03-21
7
1,983 Views
Last Modified: 2014-03-25
Everything was working fine with outlook on the users PCs on the LAN connecting to the SBS 2011 box.

Then we made the following changes and at the end, users are now getting security alerts that the name on the security certificate is invalid or does not match the name of the site.

Not sure what to do.

1) The system was set up to send mail out from server via DNS on a static IP from a T1 provider. Incoming mail was picked up via POP3 connector from a spam filtering service

2) We got a new IP address from verizon a week ago. It turned out to be on a microsoft RBL and Microsoft hasn't responded to our emails asking to be delisted.

3) So we set up exchange to send out via the spam filterers smart host and changed exchange to receive mail via SMTP, not the POP3 connector.

And now when opening outlook on any of the machines on the lan, we get certificate errors about:

remote.domain.com
and sometimes autodiscovery.domain.com

from any of these machines, if we ping those addresses, we get the server's IP.

if we look at the certificate, it says it was issued to exchange.domain.com (also, pinging from inside the LAN, it gets the server IP address).

looking at the detail, the Subject is CN=exchange.domain.com
under subject alternate name,
DNS name = domain.com
dns name= exchange.domain.com
dns name = server.domain.local

the last 2 resolve to the server IP

in outlook, the settings for the account on each users machine is the same, except for their user name:

the server is listed as server.domain.local
under security tab, encrypt between outlok and server is checked
and login network security is set to negotiate

under connection, the outlook anywhere box is checked and the settings are:
connection settings: remote.domain.com

only connect to proxy servers taht have the principal name as is checked and the box has:
msstd:remote.domain.com

and authentication is set to basic.

so again, the things that changed are:
Public IP changed (and the public DNS was changed to reflect that)
Moved away from POP3 to SMTP receive
Moved from DNS sending to smart host sending.  

all that was on the server.  so what's broken between server and desktops that outlook is complaining : ) ??

I am thining - we did have problems with the smtp receive and I deleted / recreated 2 receive connectors.....   it asks what it's looking for in the helo field.

hmmmm   could that be it?  what should I use then?  I put in exchange.domain.com for both
0
Comment
  • 4
  • 2
7 Comments
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 39946326
This can happen if you don't stick to the SBS wizards and don't set up exchange properly. There are a few moving parts (all of which the SBS wizards automate.)

Exchange autodiscover URLs *must* match one of the subject names on the certificate. The SBS internet address wizard sets exchange URLs properly when it is run, so this default is remote.domain.com and the SBS certificate wizard makes sure that name is in the SSL certificate.

DNS must resolve *that* name to the server. The SBS internet address wizard configures split DNS by default.

Note that these can also be configured manually, but they still mist all be configured to match to avoid prompts. Based on your description, there is a mismatch where one or more items are configured for exchange, domain.com while others are configured for remote, domain.com and that is the issue.

The receive connectors do not play a part here but if THEY don't match, other issues could also still arise.

The easiest fix would be to rerun the wizards (after making a backup) and sticking with a consistent name. But sometimes too many changes from defaults will cause the wizard to fail, in which case you will need to manually inspect and configure the above settings.
0
 
LVL 6

Assisted Solution

by:rick81
rick81 earned 375 total points
ID: 39948242
re-run some of the wizards.  connect to the internet wizard and setup your internet address.  the later should fix the issue with outlook.  

as Cliff mentioned check your ssl cert matches your remote name.  if not you can change the remote name when you go through settings up the internet address.  clients should auto update these changes.  click yes to any cert prompts, close outlook and re-open, reboot computer if necessary.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39952198
Not sure if I am breaking things worse...  no mail is coming in

There are supposed to be 2 receive connectors in the EMC, right? one for internal and one for external?

I deleted both and ran the setup your internet address wizard thinking it would make the 2 of them.  it failed saying it can't configure exchange for your domain.  it says t run fix my network.  

that also failed.

So I manually created 2 connectors. still no mail coming in.  I ran set up your internet address and it failed again.  do I need to restart any exchange services to get it to start using the new connectors? What services?

ran fix my network wizard and it says 'exchange smtp connectors are invalid - exchange is not configure to communicate over your local network.

let it try to fix the connectors and it says they are fixed..  when I send an email from outside, it goes to their spam filter, but bounces back

recipient was rejected. STARTTLS proto=TLSv1; cipher=DHE-RSA-AES256-SHA.
Remote host said: 550 (result of an earlier callout reused).

know what that means?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 6

Assisted Solution

by:rick81
rick81 earned 375 total points
ID: 39952311
first off double check those receive connectors are ok.  the two links below should help.

http://blogs.technet.com/b/sbs/archive/2008/09/29/fix-my-network-wizard-fncw-fails-to-fix-the-exchange-smtp-connectors-in-sbs-2008.aspx

http://blog.korteksolutions.com/fix-my-network-wizard-fncw-fails-to-fix-the-exchange-smtp-connectors-in-sbs-2008/


looking at an sbs2008 machine mine has 3 connectors

1.  Default - servername
2.  windows SBS Fax Sharepoint Receive - server name (this is probably due to premium sbs add on)
3.  Windows SBS Internet Receive - server name
0
 
LVL 6

Accepted Solution

by:
rick81 earned 375 total points
ID: 39952313
re-create the connectors again,  make sure all exchange services are running.  then send some emails in and out.
0
 
LVL 6

Expert Comment

by:rick81
ID: 39952898
Problem solved? What was the specific fix?
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39953196
trying lots of things mentioned above - try different urls, run wizards... repeatedly, reboot, repeat...  so not sure if restarting 1 or more of the exchange services after each change would have made a difference, but did a bunch of things, then rebooted, so who knows what was the solution : (

I can see how moving mail to the cloud and letting others worry about the nuances of the server is popular.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question