Frederic Lalonde
asked on
Exchange Certificate Prompt
Hi!
We have a weird issue at one of our clients.
here is the scenario:
They have a local SBS2008 with Exchange 2007 but do not use the local Exchange. Instead, they use a hosted exchange from a nerby company. The problem is that when we configure Outlook, we have a certificate error message that refers to the Outlook Anywhere of the local Exchange.
Here is what we have tried so far:
-Deleted/recreated the Outlook Profile
-Did the Outlook connectivity test and nowhere does it refer to the URL in the certificate error.
-Removed the computer from the domain and tried configuring the Profile in a workgroup (It worked)
We have a weird issue at one of our clients.
here is the scenario:
They have a local SBS2008 with Exchange 2007 but do not use the local Exchange. Instead, they use a hosted exchange from a nerby company. The problem is that when we configure Outlook, we have a certificate error message that refers to the Outlook Anywhere of the local Exchange.
Here is what we have tried so far:
-Deleted/recreated the Outlook Profile
-Did the Outlook connectivity test and nowhere does it refer to the URL in the certificate error.
-Removed the computer from the domain and tried configuring the Profile in a workgroup (It worked)
The reason why this happens.
1) SBS created DNS entries for the exchange and are taking priority over the external resolution.
Modify the DNS to resolve to the IP address of the Hosting provide rather than the Local server.
the ones that you need to look at are
SRV records and Auto discover .
if not present add a SRV record with the details of the hosting provider.
Also stop the relevant application directories within IIS instead of deleting them (Just in case you need them for
1) SBS created DNS entries for the exchange and are taking priority over the external resolution.
Modify the DNS to resolve to the IP address of the Hosting provide rather than the Local server.
the ones that you need to look at are
SRV records and Auto discover .
if not present add a SRV record with the details of the hosting provider.
Also stop the relevant application directories within IIS instead of deleting them (Just in case you need them for
ASKER
Hi,
thanks for both your replies.
I did delete the autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the problem persists. As for the autodiscover, I am configuring the email settings manually so there are no dns records with autodiscover internally or externally.
thanks for both your replies.
I did delete the autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the problem persists. As for the autodiscover, I am configuring the email settings manually so there are no dns records with autodiscover internally or externally.
If you use the following command in a command prompt on a local computer in your network:
nslookup autodiscover.yourdomain.co m (obviously change the yourdomain.com part)
What is returned as the result?
nslookup autodiscover.yourdomain.co
What is returned as the result?
ASKER
Here are the results
C:\Users\terminal>nslookup autodiscover.********quebe c.local
Serveur : pension-srv.*********quebe c.local
Address: 10.10.0.5
*** pension-srv.*********quebe c.local ne parvient pas à trouver autodiscover.*********queb ec.local : Non-existent domain
C:\Users\terminal>nslookup
Serveur : pension-srv.*********quebe
Address: 10.10.0.5
*** pension-srv.*********quebe
Okay - so it looks like you have an autodiscover DNS record locally which you need to delete.
ASKER
I can't seem to find the record in the DNS manager of the server.
ALso if I run the same command of the server itslef, here is the result I get.
C:\Users\terminal>nslookup autodiscover.*******quebec .local
Server: UnKnown
Address: fe80::****:****:****:****
*** UnKnown can't find autodiscover.******quebec. local: Non-existent domain
I did ipconfig /flushdns on the client machine and still get the same result
ALso if I run the same command of the server itslef, here is the result I get.
C:\Users\terminal>nslookup
Server: UnKnown
Address: fe80::****:****:****:****
*** UnKnown can't find autodiscover.******quebec.
I did ipconfig /flushdns on the client machine and still get the same result
Are you using the 10.10.0.x IP range internally?
ASKER
Yes
The it must either be in the DNSsettings or it's hard coded in the HOSTS fileon the server or client(s) (or the LMHOSTS file)
Please check c:\windows\system32\driver s\etc for both files locally and on the server(s).
Please check c:\windows\system32\driver
ASKER
I just checked both HOSTS & LMHOsts files on an affected machine and the server and they are both at the default state with no added lines.
It has to be somewhere in DNS then on your servers. You need to find it and remove it, or if there is a * set that resolves anything that isn't specified, that needs removing.
ASKER
Wouldn't the server give me the same result if that was the case? Also, I double checked and that station is using that server as it's DNS.
Depends on how the network and DNS is configured.
Please post the IP configuration settings of the server and a workstation please showing the DNS Servers used for each (and please specify which are the server IP settings and which are the workstation settings).
Thanks
Alan
Please post the IP configuration settings of the server and a workstation please showing the DNS Servers used for each (and please specify which are the server IP settings and which are the workstation settings).
Thanks
Alan
ASKER
Here is one client station:
Configuration IP de Windows
Nom de l'hôte . . . . . . . . . . : t2013-02
Suffixe DNS principal . . . . . . : ******quebec.local
Type de noeud. . . . . . . . . . : Hybride
Routage IP activé . . . . . . . . : Non
Proxy WINS activé . . . . . . . . : Non
Liste de recherche du suffixe DNS.: ******quebec.local
Carte Ethernet Ethernet :
Suffixe DNS propre à la connexion. . . : *******quebec.local
Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Adresse physique . . . . . . . . . . . : 74-D0-**-**-**-C7
DHCP activé. . . . . . . . . . . . . . : Oui
Configuration automatique activée. . . : Oui
Adresse IPv6 de liaison locale. . . . .: fe80::****:****:****:f0b%3 (préféré)
Adresse IPv4. . . . . . . . . . . . . .: 10.10.0.102(préféré)
Masque de sous-réseau. . . . . . . . . : 255.255.255.0
Bail obtenu. . . . . . . . . . . . . . : 24 novembre 2014 08:18:58
Bail expirant. . . . . . . . . . . . . : 2 décembre 2014 08:19:18
Passerelle par défaut. . . . . . . . . : 10.10.0.1
Serveur DHCP . . . . . . . . . . . . . : 10.10.0.5
IAID DHCPv6 . . . . . . . . . . . : 256919133
DUID de client DHCPv6. . . . . . . . : 00-01-00-01-19-**-**-**-** -D0-2B-2B- 03
-C7
Serveurs DNS. . . . . . . . . . . . . : 10.10.0.5
NetBIOS sur Tcpip. . . . . . . . . . . : Activé
Carte Tunnel isatap.******quebec.local :
Statut du média. . . . . . . . . . . . : Média déconnecté
Suffixe DNS propre à la connexion. . . :
Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP activé. . . . . . . . . . . . . . : Non
Configuration automatique activée. . . : Oui
Here is the Server:
Windows IP Configuration
Host Name . . . . . . . . . . . . : PENSION-SRV
Primary Dns Suffix . . . . . . . : *******quebec.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ********quebec.local
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : A4-BA-**-**-8C-10
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : A4-BA-**-**-8C-11
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3d2c:****:****:7e82% 10(Preferr ed)
Link-local IPv6 Address . . . . . : fe80::8cce:****:****:717c% 10(Preferr ed)
IPv4 Address. . . . . . . . . . . : 10.10.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 228899547
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-**-**-**-**-A4 -BA-DB-53- 8C-11
DNS Servers . . . . . . . . . . . : fe80::3d2c:****:****:7e82% 10
10.10.0.5
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{D95D3C6E-1884-4D9C -9879-A50E 78396
588}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{64C8DA7C-8595-4B47 -91F9-EE17 1D948
9A3}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Configuration IP de Windows
Nom de l'hôte . . . . . . . . . . : t2013-02
Suffixe DNS principal . . . . . . : ******quebec.local
Type de noeud. . . . . . . . . . : Hybride
Routage IP activé . . . . . . . . : Non
Proxy WINS activé . . . . . . . . : Non
Liste de recherche du suffixe DNS.: ******quebec.local
Carte Ethernet Ethernet :
Suffixe DNS propre à la connexion. . . : *******quebec.local
Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Adresse physique . . . . . . . . . . . : 74-D0-**-**-**-C7
DHCP activé. . . . . . . . . . . . . . : Oui
Configuration automatique activée. . . : Oui
Adresse IPv6 de liaison locale. . . . .: fe80::****:****:****:f0b%3
Adresse IPv4. . . . . . . . . . . . . .: 10.10.0.102(préféré)
Masque de sous-réseau. . . . . . . . . : 255.255.255.0
Bail obtenu. . . . . . . . . . . . . . : 24 novembre 2014 08:18:58
Bail expirant. . . . . . . . . . . . . : 2 décembre 2014 08:19:18
Passerelle par défaut. . . . . . . . . : 10.10.0.1
Serveur DHCP . . . . . . . . . . . . . : 10.10.0.5
IAID DHCPv6 . . . . . . . . . . . : 256919133
DUID de client DHCPv6. . . . . . . . : 00-01-00-01-19-**-**-**-**
-C7
Serveurs DNS. . . . . . . . . . . . . : 10.10.0.5
NetBIOS sur Tcpip. . . . . . . . . . . : Activé
Carte Tunnel isatap.******quebec.local :
Statut du média. . . . . . . . . . . . : Média déconnecté
Suffixe DNS propre à la connexion. . . :
Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP activé. . . . . . . . . . . . . . : Non
Configuration automatique activée. . . : Oui
Here is the Server:
Windows IP Configuration
Host Name . . . . . . . . . . . . : PENSION-SRV
Primary Dns Suffix . . . . . . . : *******quebec.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ********quebec.local
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : A4-BA-**-**-8C-10
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : A4-BA-**-**-8C-11
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3d2c:****:****:7e82%
Link-local IPv6 Address . . . . . : fe80::8cce:****:****:717c%
IPv4 Address. . . . . . . . . . . : 10.10.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 228899547
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-**-**-**-**-A4
DNS Servers . . . . . . . . . . . : fe80::3d2c:****:****:7e82%
10.10.0.5
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{D95D3C6E-1884-4D9C
588}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{64C8DA7C-8595-4B47
9A3}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Well that all looks normal (sadly).
So what have you got configured in DNS internally?
Can you post a screen shot of the DNS Zones (obscuring anything identifying but not so that the names can't be identified as internal / external ones).
Thanks
Alan
So what have you got configured in DNS internally?
Can you post a screen shot of the DNS Zones (obscuring anything identifying but not so that the names can't be identified as internal / external ones).
Thanks
Alan
Thanks for those. Can you show me the .org DNS zone too.
Many thanks
Alan
Many thanks
Alan
ASKER
Here it is
dns3.jpg
dns3.jpg
Sorry - just reviewed the earlier comments and I asked you to lookup auto discover.yourdomain.com and you posted the result as:
nslookup autodiscover.********quebe c.local
This is not the correct domain - it needs to be your external (Public domain) not your internal domain.
Please re-run the command using autodiscover.yourdomain.or g and post the result.
Thanks
Alan
nslookup autodiscover.********quebe
This is not the correct domain - it needs to be your external (Public domain) not your internal domain.
Please re-run the command using autodiscover.yourdomain.or
Thanks
Alan
ASKER
Here is the result from the server
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\terminal>nslookup autodiscover.******.org
Server: UnKnown
Address: fe80::****:****:****:7e82
*** UnKnown can't find autodiscover.*******.org: Non-existent domain
C:\Users\terminal>
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\terminal>nslookup
Server: UnKnown
Address: fe80::****:****:****:7e82
*** UnKnown can't find autodiscover.*******.org: Non-existent domain
C:\Users\terminal>
Okay - so is there an Autodiscover A record setup in your External DNS records (not locally on your server) that points to the Public IP Address of your hosting company, or if they don't have auto discover.yourdomain.org added to their SSL certificate, which they probably won't, do you have an SRV record that points to a name included in their SSL certificate?
Here is a guide in case you need help setting it up:
http://support.microsoft.com/kb/940881
This will normally be setup where you login to a Control Panel and may be where your domain is hosted / purchased.
Alan
Here is a guide in case you need help setting it up:
http://support.microsoft.com/kb/940881
This will normally be setup where you login to a Control Panel and may be where your domain is hosted / purchased.
Alan
ASKER
Okay here is more information on this case:
We recently took over the IT for this company and it's a little messy but we have to deal with it for now.
The hosted exchange is actually on another SBS Server with exchange in the same LAN but separated by VLANs
We happens to also manage the other SBS so if you need info there, I can supply it also. They put all the mailboxes on one server to save cost on backup licences. (I think?)
That being said, If I create an SRV record that points to the another exchange, it resolves it just fine, but I also get the annoying DNSAlias.org certificate. It seems to come from the local AD and comes before anything else.
Once again, thanks for your help.
We recently took over the IT for this company and it's a little messy but we have to deal with it for now.
The hosted exchange is actually on another SBS Server with exchange in the same LAN but separated by VLANs
We happens to also manage the other SBS so if you need info there, I can supply it also. They put all the mailboxes on one server to save cost on backup licences. (I think?)
That being said, If I create an SRV record that points to the another exchange, it resolves it just fine, but I also get the annoying DNSAlias.org certificate. It seems to come from the local AD and comes before anything else.
Once again, thanks for your help.
Is the server hosting Exchange not on a Fixed IP Address?
ASKER
It is yes, but it can also be reached locally with the local IP address 10.9.0.2 through a firewall rule within the VLANs.
Okay - if it is on a fixed Public IP Address - why is it using a dnsalias.org certificate
ASKER
The dnsalias.org certificate is the one from the local/decomissionned exchange which they are not using anymore.
Okay - how decommissioned is the server as if it is throwing up cert prompts, it doesn't sound very decommissioned to me?
ASKER
Well that's pretty much the root of my problem.
As stated previously, I did delete the local autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the certificate prompt of the local exchange persists. The next step could be to completely uninstall exchange but I am very hesitant to do that since it is a Windows Small Business server and that exchange is so closely tied to the SBS Console.
As stated previously, I did delete the local autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the certificate prompt of the local exchange persists. The next step could be to completely uninstall exchange but I am very hesitant to do that since it is a Windows Small Business server and that exchange is so closely tied to the SBS Console.
Can you disable all the Exchange services and stop the default website without knowingly causing other issues?
Alan
Alan
ASKER
I just did but I get the same results unfortunately.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It fixed the problem
Ensure that auto discover.yourdomain.com resolves in internal DNS to the hosted Exchange domain and not your internal domain and the errors should go away.
You can use the following to find / remove the Autodiscover Virtual Directory:
get-autodiscovervirtualdir
Just curious though why you have SBS and then pay for Exchange hosted elsewhere?
Alan