Exchange Certificate Prompt

Remove the Autodiscover Virtual Directory on the SBS server and make sure there are no Exchange accounts for the local users on the SBS server.

Ensure that auto discover.yourdomain.com resolves in internal DNS to the hosted Exchange domain and not your internal domain and the errors should go away.

You can use the following to find / remove the Autodiscover Virtual Directory:

get-autodiscovervirtualdirectory | remove-autodiscovervirtualdirectory

Just curious though why you have SBS and then pay for Exchange hosted elsewhere?

Alan

The reason why this happens.
1) SBS created DNS entries for the exchange and are taking priority over the external resolution.

Modify the DNS to resolve to the IP address of the Hosting provide rather than the Local server.

the ones that you need to look at are
SRV records and Auto discover .

if not present add a SRV record with the details of the hosting provider.

Also stop the relevant application directories within IIS instead of deleting them (Just in case you need them for

Hi,

thanks for both your replies.

I did delete the autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the problem persists. As for the autodiscover, I am configuring the email settings manually so there are no dns records with autodiscover internally or externally.

If you use the following command in a command prompt on a local computer in your network:

nslookup autodiscover.yourdomain.com (obviously change the yourdomain.com part)

What is returned as the result?

Here are the results

C:\Users\terminal>nslookup autodiscover.********quebec.local
Serveur :   pension-srv.*********quebec.local
Address:  10.10.0.5

*** pension-srv.*********quebec.local ne parvient pas à trouver autodiscover.*********quebec.local : Non-existent domain

Okay - so it looks like you have an autodiscover DNS record locally which you need to delete.

I can't seem to find the record in the DNS manager of the server.

ALso if I run the same command of the server itslef, here is the result I get.

C:\Users\terminal>nslookup autodiscover.*******quebec.local
Server:  UnKnown
Address:  fe80::****:****:****:****

*** UnKnown can't find autodiscover.******quebec.local: Non-existent domain

I did ipconfig /flushdns on the client machine and still get the same result

Are you using the 10.10.0.x IP range internally?

Yes

The it must either be in the DNSsettings or it's hard coded in the HOSTS fileon the server or client(s) (or the LMHOSTS file)

Please check c:\windows\system32\drivers\etc for both files locally and on the server(s).

I just checked both HOSTS & LMHOsts files on an affected machine and the server and they are both at the default state with no added lines.

It has to be somewhere in DNS then on your servers.  You need to find it and remove it, or if there is a * set that resolves anything that isn't specified, that needs removing.

Wouldn't the server give me the same result if that was the case? Also, I double checked and that station is using that server as it's DNS.

Depends on how the network and DNS is configured.

Please post the IP configuration settings of the server and a workstation please showing the DNS Servers used for each (and please specify which are the server IP settings and which are the workstation settings).

Thanks

Alan

Here is one client station:


Configuration IP de Windows

   Nom de l'hôte . . . . . . . . . . : t2013-02
   Suffixe DNS principal . . . . . . : ******quebec.local
   Type de noeud. . . . . . . . . .  : Hybride
   Routage IP activé . . . . . . . . : Non
   Proxy WINS activé . . . . . . . . : Non
   Liste de recherche du suffixe DNS.: ******quebec.local

Carte Ethernet Ethernet :

   Suffixe DNS propre à la connexion. . . : *******quebec.local
   Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Adresse physique . . . . . . . . . . . : 74-D0-**-**-**-C7
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv6 de liaison locale. . . . .: fe80::****:****:****:f0b%3(préféré)

   Adresse IPv4. . . . . . . . . . . . . .: 10.10.0.102(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : 24 novembre 2014 08:18:58
   Bail expirant. . . . . . . . . . . . . : 2 décembre 2014 08:19:18
   Passerelle par défaut. . . . . . . . . : 10.10.0.1
   Serveur DHCP . . . . . . . . . . . . . : 10.10.0.5
   IAID DHCPv6 . . . . . . . . . . . : 256919133
   DUID de client DHCPv6. . . . . . . . : 00-01-00-01-19-**-**-**-**-D0-2B-2B-03
-C7
   Serveurs DNS. . .  . . . . . . . . . . : 10.10.0.5
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

Carte Tunnel isatap.******quebec.local :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :
   Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
   Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP activé. . . . . . . . . . . . . . : Non
   Configuration automatique activée. . . : Oui




Here is the Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PENSION-SRV
   Primary Dns Suffix  . . . . . . . : *******quebec.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ********quebec.local

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : A4-BA-**-**-8C-10
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : A4-BA-**-**-8C-11
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3d2c:****:****:7e82%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8cce:****:****:717c%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 228899547
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-**-**-**-**-A4-BA-DB-53-8C-11

   DNS Servers . . . . . . . . . . . : fe80::3d2c:****:****:7e82%10
                                       10.10.0.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{D95D3C6E-1884-4D9C-9879-A50E78396
588}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{64C8DA7C-8595-4B47-91F9-EE171D948
9A3}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Well that all looks normal (sadly).

So what have you got configured in DNS internally?

Can you post a screen shot of the DNS Zones (obscuring anything identifying but not so that the names can't be identified as internal / external ones).

Thanks

Alan

Thanks for your replies.

Here are the screenshots as asked.
dns1.jpg
dns2.jpg

Thanks for those.  Can you show me the .org DNS zone too.

Many thanks

Alan

Here it is
dns3.jpg

Sorry - just reviewed the earlier comments and I asked you to lookup auto discover.yourdomain.com and you posted the result as:

nslookup autodiscover.********quebec.local

This is not the correct domain - it needs to be your external (Public domain) not your internal domain.

Please re-run the command using autodiscover.yourdomain.org and post the result.

Thanks

Alan

Here is the result from the server

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\terminal>nslookup autodiscover.******.org
Server:  UnKnown
Address:  fe80::****:****:****:7e82

*** UnKnown can't find autodiscover.*******.org: Non-existent domain

C:\Users\terminal>

Okay - so is there an Autodiscover A record setup in your External DNS records (not locally on your server) that points to the Public IP Address of your hosting company, or if they don't have auto discover.yourdomain.org added to their SSL certificate, which they probably won't, do you have an SRV record that points to a name included in their SSL certificate?

Here is a guide in case you need help setting it up:
http://support.microsoft.com/kb/940881

This will normally be setup where you login to a Control Panel and may be where your domain is hosted / purchased.

Alan

Okay here is more information on this case:

We recently took over the IT for this company and it's a little messy but we have to deal with it for now.
The hosted exchange is actually on another SBS Server with exchange in the same LAN but separated by VLANs
We happens to also manage the other SBS so if you need info there, I can supply it also. They put all the mailboxes on one server to save cost on backup licences. (I think?)

That being said, If I create an SRV record that points to the another exchange, it resolves it just fine, but I also get the annoying DNSAlias.org certificate. It seems to come from the local AD and comes before anything else.

Once again, thanks for your help.

Is the server hosting Exchange not on a Fixed IP Address?

It is yes, but it can also be reached locally with the local IP address 10.9.0.2 through a firewall rule within the VLANs.

Okay - if it is on a fixed Public IP Address - why is it using a dnsalias.org certificate

The dnsalias.org certificate is the one from the local/decomissionned exchange which they are not using anymore.

Okay - how decommissioned is the server as if it is throwing up cert prompts, it doesn't sound very decommissioned to me?

Well that's pretty much the root of my problem.

As stated previously, I did delete the local autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the certificate prompt of the local exchange persists. The next step could be to completely uninstall exchange but I am very hesitant to do that since it is a Windows Small Business server and that exchange is so closely tied to the SBS Console.

Can you disable all the Exchange services and stop the default website without knowingly causing other issues?

Alan

I just did but I get the same results unfortunately.

It fixed the problem