Solved

Exchange 2013/Outlook Setup/DNS

Posted on 2014-03-24
18
743 Views
Last Modified: 2014-03-31
HI Experts

I have commissioned a Windows 2012 R2 Domain and Exchange 2013 Server system.

I have configured both of the servers as DCs (although later I see this is not recommended but not forbidden).

I'm having problems connecting Outlook (2013 & 2010) up to the Exchange Server.  The only method I can use is to let the setup run automatically and then although Outlook works in the Account Properties the Server is shown as 558a3daa-fda2-48c5-971c-a9860640d507@mycompany.co.uk rather than TC-EXS.companyname.co.uk.

I'm suspecting this is due to a misconfiguration in my DNS.  I cannot get a recursive query to pass, although all clients have access to the outside world without issue.

TC-ADS (Primary DC) IP:10.0.0.201
        Primary DNS 10.0.0.201
        Secondary DNS 10.0.203

TC-EXS(Secondary DC) IP:10.0.0.203
       Primary DNS 10.0.0.203
       Secondary DNS 10.0.0.201

I have DNS Forwarders set up the IP Addresses found on my WAN connection through my ADSL router.

Any help or pointers much appreciated as I'd like to clear this up before I commission any further accounts.

Thanks

Brian
0
Comment
Question by:3D2K
  • 10
  • 7
18 Comments
 
LVL 13

Accepted Solution

by:
Andy M earned 50 total points
Comment Utility
The server is showing correctly in Outlook - 2013 doesn't display the server name, it actually displays the mailbox GUID instead (I spent ages trying to fix that before it got pointed out to me).

I would set your Exchange server to use the DC for DNS (primary) with the forwarders set to either your ISP's DNS or a public dns such as opendns or google.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
As already pointed out, that is the expected behaviour. Each mailbox has a unique end point - it is one of the changes in Exchange 2013, therefore Autodiscover is a requirement and you must ensure it is working correctly.

The only thing you need to be wary of with DNS is that you have all of the host names setup correctly. As you cannot put internal server names on to a public SSL certificate, a SPLIT DNS system is almost mandatory now, so that you can use the internal and external names everywhere.

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Morty500UK/Sembee

Thanks for your responses.

I'm a little easier now about the GUID being displayed, but my DNS issues (Recursive Query Fail) still persist.

I did happen to note that the Exchange Server didn't have Network Discovery turned on.  I've now turned that on.

I'm looking to buy an SAN SSL Certificate with the following names:

remote.companyname.co.uk
autodiscover.companyname.co.uk

which have served me well for a number of SBS 2011 installations.

I am of the mind that my DNS issues may well have to do with the fact that the DNS records for companyname.co.uk are hosted by the companies ISP and the internal domain is called hd1.companyname.co.uk and the two don't or can't communicate.  I think this is what you are alluding to with your split DNS comments.

Brian
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 450 total points
Comment Utility
"I did happen to note that the Exchange Server didn't have Network Discovery turned on.  I've now turned that on."

That has nothing to do with the operation of Exchange.

The hosts that you have outlined to put on the SSL certificate are fine, you just need to setup a split DNS (which SBS 2011 does for you), so that the external names resolve internally.

http://semb.ee/splitdns

To change Exchange to use the external host names, follow my guide here:
http://semb.ee/hostnames

It is for Exchange 2010, but applies to Exchange 2013 as well, other than doing Outlook Anywhere in the GUI.

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Simon

Thanks for the info, I'll look through it for my bedtime reading.

I mentioned the Network Discovery as at one point Outlook seemed to indicate it couldn't find my Exchange Server :-) whilst setting up a connection.

Brian
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Outlook uses Autodiscover to find Exchange, which is nothing to do with Network Discovery.

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Simon

Your information is great and if I'm asking too many questions then you can tell me to take a hike as I see you have a consultancy business.

I have UCC certificate with the following hostnames:

hd1.companyname.co.uk
autodiscover.companyname.co.uk
remote.companyname.co.uk

I have installed this certificate on the Exchange Server and still I get the Certificate mismatch error for TC-EXS.hd1.companyname.co.uk.  So it looks like I need to get the Split DNS set up.

Following your instructions and looking at an SBS 2011 site I manage I see that in DNS there is a remote.companyname.co.uk zone (incidentally it is AD Integrated!).  No mention of AutoDiscover though.  Am I creating a similar remote.companyname.co.uk zone?  It is my intention to use a different server TC-DAS as the remote gateway server (assuming that's how it works now :-)) so I'm presuming I need to point the A record to TC-DAS.  

I'm obviously missing something for the autodiscover process to work correctly.

Brian
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 450 total points
Comment Utility
You don't need an Autodiscover internal URL, unless you have clients on the network that are not members of the domain. What you are seeing in SBS 2011 is the same thing that you need on the new platform, but you need to make the changes manually.
The Exchange host name name internally needs to point to the Exchange server, not anything else.

I have an Exchange 2013 version of the guide now: http://semb.ee/hostnames2013 (published yesterday).

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Simon

I have done the Split-DNS for both remote.companyname.co.uk and autodiscover.companyname.co.uk which point at the Gateway Server and Exchange Server respectively.

Maybe choosing autodiscover.companyname.co.uk on the SSL UCC was a mistake!

I am installing an Exchange 2013 server to migrate a hosted environment at Memset so mail.companyname.co.uk is used externally to point to Memset so using that would no doubt have created me a ton of problems.

Anyway, I've followed your instructions to set up the Exchange 2013 Web Services and Other Client Access Host Name Configuration and then tested two accounts:

Outlook 2010 on a Windows 7 Pro (64) works fine with no certificate mismatch errors and the Test E-mail AutoConfiguration doesn't show any obvious errors.

Outlook 2013 on a Windows 8.1 (64) now hits me with a

Microsoft Outlook error "There is a problem with the proxy server's security certificate.  The name on the security certificate is invalid or does not match the name of the target site tc-exs.hd1.companyname.co.uk.  Outlook is unable to connect to the proxy server. (Error Code 10)"

as well as the usual

Security Alert "TC-EXS.hd1.companyname.co.uk - The name on the security certificate is inavlid or does not match the name of the site".

The Test E-mail AutoConfiguration doesn't show any obvious errors.

Is the problem that the Exchange Server TC-EXS isn't on the certificate?  Obviously going forward this isn't going to be an option.  Also my internal domain is called hd1.companyname.co.uk different from the external presence companyname.co.uk.  I was of the impression that that was an MS recommended setup.

All very-very frustrating.

Thanks

Brian
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
What host name have you configured in Exchange for the virtual directories etc?
If it is remote, then remote needs to point to the Exchange server, not the gateway server.

Have you changed all of the URLs, including the PowerShell ones to match? As you are getting an error about the host names involved that would suggest that you haven't or one of the changes didn't take effect properly.

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Simon

I've had a long conversation with GoDaddy and have added the internal Exchange Server name to the UCC SSL certificate and that has fixed all of the certificate errors (for the time being).

I followed your instructions for setting up Web Services etc so I'm assuming they are set to the following:

Autodiscover URL  autodiscover.companyname.co.uk
Web Services URL  autodiscover.companyname.co.uk
Outlook Anywhere URL autodiscover.companyname.co.uk.

Although how you check those with the new interface!

The remote.companyname.co.uk name will be used to access the Remote Gateway Server which is unlikely to the the Exchange Server so I think you can ignore that.

From another post I have added an SRV record into DNS of the _autodiscover _tcp 443 autodiscover.companyname.co.uk

Somewhere along the way ECP got broken with the certificate mismatch.  I'm not sure what caused that, but applying the new certificate fixed that.

Anyway I have a working system at the moment but for how long who knows.  

If I try to run ExRCA to test Autodiscovery that fails too, it traverses the firewall on 443 but has problems getting the certificate.  This is likely to cause me issues downstream with mobiles I'm sure.

I'll be closing this question shortly and applying points.

Thanks for all of your help.

Brian
0
 

Author Comment

by:3D2K
Comment Utility
Simon

I suspect whatever condition my Exchange Server is in it is terminally ill :-).

I've gone into IIS Manager and can't see any Virtual Directories under Autodiscover, ecp,EWS,...etc.  Also if I try to browse from IIS Manager to say Autodiscover on 443 then I get the usual There is a problem with this website's security certificate.

Should I start again?

Is there a way to clear it all down and restart?  I am only running a single email account through it at the moment.

Thanks for your patience.

Every time I come to install a "New" MS product I have to spend hours researching things that don't work as expected.

Brian
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
With Exchange 2013 there are two web sites. What a lot of people are doing is binding the certificate to the wrong web site. The certificate bindings should be done through EMC or EMS, not through IIS manager. Therefore the source of the SSL errors could be that you have the wrong web site with the trusted certificate on it.

Are you on Exchange 2013 SP1 (you should be for 2012 R2 Support).

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Simon

Not running Exchange 2013 CU1 but will do the 1.5GB download and update :-(.

I've effectively started again now having reset all of the configurations for Web Services:

Outlook Anywhere, OWA, ECP, ActiveSync, WebServiceVirtualDirectory, ActiveSyncVirtualDirectory, ECPVirtualDirectory, OABVirtualDirectory, ClientAccessServer.

Have I missed anything, you mentioned PowerShell in one of your previous posts.

I've still got SSL certificate errors.

There is an existing SSL certificate for www.companyname.co.uk which looks to be interfering with my UCC certificate.

If I have a DNS entry autodiscover.companyname.co.uk (at our ISP) pointing to my external wan on my router then Outlook complains that the SSL certificate is invalid and it offers me up the certificate off of the Vigor Router(?).

If I delete the DNS entry autodiscover.companyname.co.uk (at our ISP) then Outlook complains that the SSL certificate is invalid and it offers me up the certificate for www.companyname.co.uk stored at the ISP.

I definitely have the SSL UCC installed on the Exchange Server although I rekeyed it about 4 times yesterday.  I'm loathe to delete it and start again as it warns me that it may break some Exchange Services.  Oddly the other Self-Certified SSL certificates on the Exchange Server have SMTP and IIS assigned to them but I'm unable to turn those options off.

How do I get me internal Outlook clients to access the correct SSL certificate?

I have tried testing using ExRCA and it always fails at the SSL certificate, it looks like it traverses the firewall through 443 but cannot get the certificate.

Thanks

Brian
0
 

Author Comment

by:3D2K
Comment Utility
Simon

I've come across this:

http://www.digicert.com/internal-domain-name-tool.htm

which I have downloaded and run against my Exchange Server.

Tried selling me up to DigiCert from GoDaddy but...did run a PS script that modified all of the Virtual Directory configs etc.

That fixed my earlier SSL certificate mismatch messages, so all internal Outlook looks good to go now.

Now all I have to do is to work out why ExRCA fails:

Attempting to test potential Autodiscover URL https://autodiscover.company.co.uk/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Additional Details
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.company.co.uk in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host autodiscover.company.co.uk to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.company.co.uk on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
       
      Additional Details
       
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 5665 ms.

Thanks

Brian
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 450 total points
Comment Utility
"If I have a DNS entry autodiscover.companyname.co.uk (at our ISP) pointing to my external wan on my router then Outlook complains that the SSL certificate is invalid and it offers me up the certificate off of the Vigor Router(?)."

The Vigor routers have an SSL VPN option enabled by default. That will be getting in the way. You need to update the firmware on the router to the latest version, then go in to the SSL VPN configuration and change the port to another one (I usually use 4433). Disabling the SSL VPN feature is not enough.
Also change the remote access ports as well so they don't conflict.

To be clear on the update - you want Exchange 2013 SP1, not CU1.

Simon.
0
 

Author Comment

by:3D2K
Comment Utility
Simon

Once again thanks for getting back to me.

I have changed the remote access ports on the Draytek router to 8081 and 1443 already but I don't think I've disabled the SSL VPN.  I'll do that now.

Also I did notice my typo and yes I've downloaded and installed SP1 (not CU1) as recommended.

Have a good weekend and I will report back and hopefully close this one out.

Best Regards

Brian
0
 

Author Closing Comment

by:3D2K
Comment Utility
Simon

Thanks for all of your help with this problem.  We have moved way off of the initial thread where I was looking for a solution to the DNS recursive query test fail which I thought was the root cause of my problems.  I'll repost another question on that issue.  You have explained the Split DNS requirement and Web Service and Other Client Access Hostnames Configuration although the utility (http://www.digicert.com/internal-domain-name-tool.htm) at Digicert was very useful.

Finally your knowledge of the Draytek Vigor 2830 SSL configurations completed the picture.

I now have a fully functioning Windows Server 2012 R2/Exchange 2013 system.

Brian
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now