Exchange Certificate Prompt

Hi!

We have a weird issue at one of our clients.

here is the scenario:

They have a local SBS2008 with Exchange 2007 but do not use the local Exchange. Instead, they use a hosted exchange from a nerby company. The problem is that when we configure Outlook, we have a certificate error message that refers to the Outlook Anywhere of the local Exchange.

Here is what we have tried so far:

-Deleted/recreated the Outlook Profile
-Did the Outlook connectivity test and nowhere does it refer to the URL in the certificate error.
-Removed the computer from the domain and tried configuring the Profile in a workgroup (It worked)
Frederic LalondeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Remove the Autodiscover Virtual Directory on the SBS server and make sure there are no Exchange accounts for the local users on the SBS server.

Ensure that auto discover.yourdomain.com resolves in internal DNS to the hosted Exchange domain and not your internal domain and the errors should go away.

You can use the following to find / remove the Autodiscover Virtual Directory:

get-autodiscovervirtualdirectory | remove-autodiscovervirtualdirectory

Just curious though why you have SBS and then pay for Exchange hosted elsewhere?

Alan
0
Costas GeorgiouNetwork AdministratorCommented:
The reason why this happens.
1) SBS created DNS entries for the exchange and are taking priority over the external resolution.

Modify the DNS to resolve to the IP address of the Hosting provide rather than the Local server.

the ones that you need to look at are
SRV records and Auto discover .

if not present add a SRV record with the details of the hosting provider.

Also stop the relevant application directories within IIS instead of deleting them (Just in case you need them for
0
Frederic LalondeAuthor Commented:
Hi,

thanks for both your replies.

I did delete the autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the problem persists. As for the autodiscover, I am configuring the email settings manually so there are no dns records with autodiscover internally or externally.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Alan HardistyCo-OwnerCommented:
If you use the following command in a command prompt on a local computer in your network:

nslookup autodiscover.yourdomain.com (obviously change the yourdomain.com part)

What is returned as the result?
0
Frederic LalondeAuthor Commented:
Here are the results

C:\Users\terminal>nslookup autodiscover.********quebec.local
Serveur :   pension-srv.*********quebec.local
Address:  10.10.0.5

*** pension-srv.*********quebec.local ne parvient pas à trouver autodiscover.*********quebec.local : Non-existent domain
0
Alan HardistyCo-OwnerCommented:
Okay - so it looks like you have an autodiscover DNS record locally which you need to delete.
0
Frederic LalondeAuthor Commented:
I can't seem to find the record in the DNS manager of the server.

ALso if I run the same command of the server itslef, here is the result I get.

C:\Users\terminal>nslookup autodiscover.*******quebec.local
Server:  UnKnown
Address:  fe80::****:****:****:****

*** UnKnown can't find autodiscover.******quebec.local: Non-existent domain

I did ipconfig /flushdns on the client machine and still get the same result
0
Alan HardistyCo-OwnerCommented:
Are you using the 10.10.0.x IP range internally?
0
Frederic LalondeAuthor Commented:
Yes
0
Alan HardistyCo-OwnerCommented:
The it must either be in the DNSsettings or it's hard coded in the HOSTS fileon the server or client(s) (or the LMHOSTS file)

Please check c:\windows\system32\drivers\etc for both files locally and on the server(s).
0
Frederic LalondeAuthor Commented:
I just checked both HOSTS & LMHOsts files on an affected machine and the server and they are both at the default state with no added lines.
0
Alan HardistyCo-OwnerCommented:
It has to be somewhere in DNS then on your servers.  You need to find it and remove it, or if there is a * set that resolves anything that isn't specified, that needs removing.
0
Frederic LalondeAuthor Commented:
Wouldn't the server give me the same result if that was the case? Also, I double checked and that station is using that server as it's DNS.
0
Alan HardistyCo-OwnerCommented:
Depends on how the network and DNS is configured.

Please post the IP configuration settings of the server and a workstation please showing the DNS Servers used for each (and please specify which are the server IP settings and which are the workstation settings).

Thanks

Alan
0
Frederic LalondeAuthor Commented:
Here is one client station:


Configuration IP de Windows

   Nom de l'hôte . . . . . . . . . . : t2013-02
   Suffixe DNS principal . . . . . . : ******quebec.local
   Type de noeud. . . . . . . . . .  : Hybride
   Routage IP activé . . . . . . . . : Non
   Proxy WINS activé . . . . . . . . : Non
   Liste de recherche du suffixe DNS.: ******quebec.local

Carte Ethernet Ethernet :

   Suffixe DNS propre à la connexion. . . : *******quebec.local
   Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Adresse physique . . . . . . . . . . . : 74-D0-**-**-**-C7
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv6 de liaison locale. . . . .: fe80::****:****:****:f0b%3(préféré)

   Adresse IPv4. . . . . . . . . . . . . .: 10.10.0.102(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : 24 novembre 2014 08:18:58
   Bail expirant. . . . . . . . . . . . . : 2 décembre 2014 08:19:18
   Passerelle par défaut. . . . . . . . . : 10.10.0.1
   Serveur DHCP . . . . . . . . . . . . . : 10.10.0.5
   IAID DHCPv6 . . . . . . . . . . . : 256919133
   DUID de client DHCPv6. . . . . . . . : 00-01-00-01-19-**-**-**-**-D0-2B-2B-03
-C7
   Serveurs DNS. . .  . . . . . . . . . . : 10.10.0.5
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

Carte Tunnel isatap.******quebec.local :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :
   Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
   Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP activé. . . . . . . . . . . . . . : Non
   Configuration automatique activée. . . : Oui




Here is the Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PENSION-SRV
   Primary Dns Suffix  . . . . . . . : *******quebec.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ********quebec.local

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : A4-BA-**-**-8C-10
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : A4-BA-**-**-8C-11
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3d2c:****:****:7e82%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8cce:****:****:717c%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 228899547
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-**-**-**-**-A4-BA-DB-53-8C-11

   DNS Servers . . . . . . . . . . . : fe80::3d2c:****:****:7e82%10
                                       10.10.0.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{D95D3C6E-1884-4D9C-9879-A50E78396
588}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{64C8DA7C-8595-4B47-91F9-EE171D948
9A3}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
Alan HardistyCo-OwnerCommented:
Well that all looks normal (sadly).

So what have you got configured in DNS internally?

Can you post a screen shot of the DNS Zones (obscuring anything identifying but not so that the names can't be identified as internal / external ones).

Thanks

Alan
0
Frederic LalondeAuthor Commented:
Thanks for your replies.

Here are the screenshots as asked.
dns1.jpg
dns2.jpg
0
Alan HardistyCo-OwnerCommented:
Thanks for those.  Can you show me the .org DNS zone too.

Many thanks

Alan
0
Frederic LalondeAuthor Commented:
Here it is
dns3.jpg
0
Alan HardistyCo-OwnerCommented:
Sorry - just reviewed the earlier comments and I asked you to lookup auto discover.yourdomain.com and you posted the result as:

nslookup autodiscover.********quebec.local

This is not the correct domain - it needs to be your external (Public domain) not your internal domain.

Please re-run the command using autodiscover.yourdomain.org and post the result.

Thanks

Alan
0
Frederic LalondeAuthor Commented:
Here is the result from the server

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\terminal>nslookup autodiscover.******.org
Server:  UnKnown
Address:  fe80::****:****:****:7e82

*** UnKnown can't find autodiscover.*******.org: Non-existent domain

C:\Users\terminal>
0
Alan HardistyCo-OwnerCommented:
Okay - so is there an Autodiscover A record setup in your External DNS records (not locally on your server) that points to the Public IP Address of your hosting company, or if they don't have auto discover.yourdomain.org added to their SSL certificate, which they probably won't, do you have an SRV record that points to a name included in their SSL certificate?

Here is a guide in case you need help setting it up:
http://support.microsoft.com/kb/940881

This will normally be setup where you login to a Control Panel and may be where your domain is hosted / purchased.

Alan
0
Frederic LalondeAuthor Commented:
Okay here is more information on this case:

We recently took over the IT for this company and it's a little messy but we have to deal with it for now.
The hosted exchange is actually on another SBS Server with exchange in the same LAN but separated by VLANs
We happens to also manage the other SBS so if you need info there, I can supply it also. They put all the mailboxes on one server to save cost on backup licences. (I think?)

That being said, If I create an SRV record that points to the another exchange, it resolves it just fine, but I also get the annoying DNSAlias.org certificate. It seems to come from the local AD and comes before anything else.

Once again, thanks for your help.
0
Alan HardistyCo-OwnerCommented:
Is the server hosting Exchange not on a Fixed IP Address?
0
Frederic LalondeAuthor Commented:
It is yes, but it can also be reached locally with the local IP address 10.9.0.2 through a firewall rule within the VLANs.
0
Alan HardistyCo-OwnerCommented:
Okay - if it is on a fixed Public IP Address - why is it using a dnsalias.org certificate
0
Frederic LalondeAuthor Commented:
The dnsalias.org certificate is the one from the local/decomissionned exchange which they are not using anymore.
0
Alan HardistyCo-OwnerCommented:
Okay - how decommissioned is the server as if it is throwing up cert prompts, it doesn't sound very decommissioned to me?
0
Frederic LalondeAuthor Commented:
Well that's pretty much the root of my problem.

As stated previously, I did delete the local autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the certificate prompt of the local exchange persists. The next step could be to completely uninstall exchange but I am very hesitant to do that since it is a Windows Small Business server and that exchange is so closely tied to the SBS Console.
0
Alan HardistyCo-OwnerCommented:
Can you disable all the Exchange services and stop the default website without knowingly causing other issues?

Alan
0
Frederic LalondeAuthor Commented:
I just did but I get the same results unfortunately.
0
Frederic LalondeAuthor Commented:
I just found the solution:

I had to delete the Autodiscover folder in Active Directory Sites and Services.

It was located in: Services, Microsoft Exchange, First Organization, Administrative Groups, Exchange Administrative Group, Servers, (Name of the Server), Protocols.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Frederic LalondeAuthor Commented:
It fixed the problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.