Sbs2011 multiple SSL certificates.

I need to add a SSL certificate to get Out of Office on Outlook to work using autodiscover.
I can't find a way to add this extra certificate. I already have one one the server but need the autodiscover added too.
TMSAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
The MS article guide through in this cert error is typical what most faced to get the autodiscover up running regardless it is OoO use case etc, the SSL cert impact the discover service if they are not provisioned correctly within the limitation and deployment environment. Do catch this to see if make sense in your context - https://support.microsoft.com/en-us/kb/2772058

Furthermore, this is another alternative still using SSL but slightly varied approach e.g. Autodiscover Site Affinity - see "Autodiscover, DNS, Certificates, and what you need to know"
http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/

Supplementary Exchange Autodiscover experience
https://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/
TMSAuthor Commented:
So, this looks like it is all set up correctly. Changing from an A record to the SVR doesn't change the issue. Changing to the SVR actually stops mobiles autodiscovery but with the A record mobiles set up ok.

In Outlook iwhen setting up Automatic replies the message is given Your automatics reply setting s cannot be displayed because the server is unavailable. Please try again later.  I have checked the IIS settings for all the folders according to this article https://social.technet.microsoft.com/Forums/exchange/en-US/2be59599-9ff8-4387-a6d3-516e87b6a70e/automatic-replies-out-of-office-in-sbs-2011?forum=exchange2010 but all the settings were as described.  

The automatic replays can be set up from OWA.
TMSAuthor Commented:
I have just tried to repair the Outlook profile and it is unable to resolve the name - Search for the email address.  When I try and set up a profile manually it can't fine the server.  The server name has /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=SERVERNAME.   If I set up a new profile then the AUTODISCOVER works.
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

btanExec ConsultantCommented:
SVR should work and it is attempted by server via DNS for the Autodiscover service in the DNS zone that matches the user's SMTP domain. If that cannot be found or resolves, it fails. SRV points to URL that eventually resolves to a A or CNAME that points back to same Autodiscover service. EVentually, Autodiscover service may be resolved by using an A record, a CNAME record, or an SRV record. Both below should be possible
E.g. nslookup > Set Type A > Autodiscover.SMTPDomain.com
E.g. nslookup > Set Type SRV > _autodiscover._tcp.SMTPDomain.com

The OoO error may occur when one or more of the conditions are true. The checks can be ref @ http://www.proexchange.be/blogs/exchange2007/archive/2009/07/14/your-out-of-office-settings-cannot-be-displayed-because-the-server-is-currently-unavailable-try-again-later.aspx
1.       You’re trying to open the OOF settings of different Exchange-account
2.       Incorrect Auto-discover Service settings
3.       Wrong certificate
4.       “Enable Anonymous Access” is enabled in IIS on the EWS virtual directory.

Key is also that both the internal and external URL values must be configure correctly that can be resolved. Looks like new profile can find autodiscover services, there may be different attributes
Method 3: Make sure that the user's attributes in Active Directory are set correctly

Warning This procedure requires Active Directory Interfaces Editor (ADSI Edit). Using ADSI Edit incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems that result from the incorrect use of ADSI Edit can be resolved. Use ADSI Edit at your own risk.

Use ADSI Edit (or a similar tool for editing Active Directory) to determine whether the following attributes are set correctly for the user.
Attribute      Example
mail      ted@contoso.com
mailNickname      ted
displayName      Ted Bremer
proxyAddresses      SMTP: ted@contoso.com X400:c=us;a= ;p=First Organization;o=Exchange;s=Bremer;g=Ted
Common issues occur when a value is not set for one or more of these attributes.

After the correct values are set for these attributes, force directory synchronization to occur, and then try to set up the user's email account in Outlook.
TMSAuthor Commented:
I have listed screenshots and additional info in the attachment.
EE-OOO.docx
btanExec ConsultantCommented:
Strange that the server cannot seems to be found as well - very doubtful the DNS is functioning well.

Can try out the below steps using the nslookup to verify the autodiscover SRV setup
http://blogs.technet.com/b/rmilne/archive/2014/10/02/how-to-check-exchange-autodiscover-srv-record-using-nslookup.aspx

And also check the profile as in the DNS server via DNSmgmt that the relevant Forward Lookup Zone is properly included of the SRV record
http://www.itnotes.eu/?p=2390

The whole point is to make sure if other SCP connection failed which is also your findings, the last thing to try for Exchange service to client is a DNS query for SRV records for the Autodiscover service. The record will take the form "_autodiscover._tcp." + domain. This query might return multiple records, but you should only use records that point to an SSL endpoint and that have the highest priority and weight. https://msdn.microsoft.com/en-us/library/office/jj900169(v=exchg.150).aspx

Noted also you mentioned about OpenDNS and it seems the DNS request all forward to it per se (client DNS server can be pointing to it instead of local...) and possibly causing SRV at local if configured to have no any effect. Also assuming to having SRV work for the Exchange autodiscover service, how can OpenDNS be involved, they not be from internal but the external side, how is that going to taken up by them. I am guessing this may contribute to the local autodiscover fails...I am not sure but good to check with OpenDNS on any Exchange specific configuration as currently your error is "server is not available" and the DNS is likely not working well.
TMSAuthor Commented:
Thanks for the info.  So I agree, it seems like the DNS is not functioning. I have set up the AUTODISCOVER srv record but when testing from nslookup it says Non existant domain.  I have tried with both internal and external host reference I.e server.domain.local. And server.domain.co.uk.
Is there a way to reset the DNS?  It looks like there is a replication error too as there are differences between the sites.  However, I can't see any errors in the event logs.
btanExec ConsultantCommented:
Not that easy but MS has reference and may take some times to read which I suggest rather than wild chase since the DNS is not in proper setting
The following are several steps to start troubleshooting DNS issues:

1.Flush local DNS resolver cache on client by “IPConfig /flushdns”. This will flush out the negative cache on the client system and allow fresh DNS query results.
 
2.Flush DNS server cache using DNS MMC. Similar to flushing client DNS cache in concept, this eliminates server cache which may contain out dated information.
 
3.Try NSLookup to query Exchange server’s SRV record. Exchange server’s SRV record advertises the existence of Exchange service. NSLookup will help to determine if the required SRV record is missing.
 
4. Run DNSDiag to query and resolve SMTP virtual server. SMTP virtual server display name and IP address/port combination needed to be properly registered in DNS. If DNSDiag query to resolve SMTP virtual server is unsuccessful, this indicates that the SMTP virtual server entry in DNS or the SMTP virtual server settings are incorrect.
 
Having said above in general, you can also use the DNS administration tool (dnsmgmt.msc) to visually inspect your zones, using scripts or third-party tools is ideal. The use of Nslookup is more of in debug mode since you above state the check you done with already (i.e., nslookup -debug DNSrecord). The debug may be noisy though still helpful for troubleshooting DNS problems.

Next, I am so into the replication domain but what I understand is that replication of DNS zones depends directly on the type of zone and the configured scope. So if you are running AD-integrated zones, that is, each server maintains a writeable copy of the zone, the most important thing to ensure is that the zones are set to boot from AD in the registry. See this extract
Although this setting is the default, it’s a good place to start when troubleshooting replication problems. To verify this setting, use the DNS administration tool (dnsmgmt.msc) and look at your DNS server’s properties. On the Advanced tab, set the Load zone data on startup option to From Active Directory and registry.

 Troubleshooting. To troubleshoot AD-integration DNS problems, you must first determine the type of problem that exists. A good place to start is to verify that the environment meets the minimum requirements for AD—that is, only one PDC SRV record per domain, at least one GC SRV record per forest, etc.
http://windowsitpro.com/networking/troubleshooting-dns-problems-exchange-environment-part-2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TMSAuthor Commented:
Thanks. Been reading around this and will look to make changes tomorrow once a backup has run.
TMSAuthor Commented:
Thanks.  I use 123 Reg and the autodiscover entry for the SVR record needed to be in this format:  _autodiscover._tcp for the host.  It then needs to have 10 for the priority and say 3600 for the TTL and then 0 443 <domain> for the weight and port.  Works fine now.
btanExec ConsultantCommented:
Glad it helps and thanks for sharing.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.