Certificate for sites & .local domain...

Similar Messages

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• 2012 RDS + Gateway Certificate and and .local domains

  Can someone verify this is the correct process to stop all certificate errors. 
  RDS 2012 R2 deployment that is the following. 
  1 server with broker web and gateway roles installed. 
  3 session hosts. 
  Domain is a .local
  I want to stop all certificate errors. I have a certificate for the gateway/broker/web server gateway.xxx.com 
  I have had a look at the Change published FQDN for Server 2012 or 2012 R2 RDS Deployment script
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  Do i just need to run this script on the gateway/broker/web server and will this stop the mismatch errors fro the session hosts?
  Thanks

  Does SSO not work on less than this as I have some XP clients and 8.1 is not available for them. 
  Hi,
  To support older clients you need to have the wildcard certificate set on the RDP-Tcp listener on all RDSH servers.  To do this you must import the certificate and its private key into the Local Computer\Personal store on each RDSH server, and then
  use WMI to set the certificate.  The below command should be run on each RDSH in an elevated command prompt after you have imported the certificate and its private key:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"
  Substitute your certificate's thumbprint for the one shown above.
  Please note that you will not get the best experience with clients that are not at least RDP 8.0 capable, many features will not be available, and you may run into certain issues.  For XP you will want to install the RDP 7.0 client and make the registry
  changes on each client to enable CredSSP.
  Thanks.
  -TP

• Adding alternative FQDN for local domain.

  Hi,
  I'm trying to configure RDS for my standalone Windows Server 2012 Essentials and it's almost done.
  (Probablly) last thing i need to do is to change FQDN for my local domain to .com to use RDS externaly.
  So, like i said, i've done dyndns config, added ssl cert, configured RDWeb, RD Gateway, RD License and RD Broker.
  Now, when i'm logging into remote.mydomain.com/RDWeb , i can login with Active Directory credentials, get rdp i try login into server. But i can only try, becuase there is an error about wrong FQDN for server (know and not new error for anyone). So, what I
  had done was changing FQDN for my domain by this powershell script http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 (if anyone had problems with digitally unsigned script, google for "Set-ExecutionPolicy Unrestricted"), in
  theory, this script changed FQDN, but in reality, i still have same problem trying to connect externally.
  I also read that i should add new DNS Zone for my .com domain and there add (A) record for my subdomain for remote desktop, that points to internal IP adress of my server. When i tried that, it was even worse because i couldn't even open RDWeb site. When that
  dns zone was deleted, everything came back to previous state.
  And now i'm here, out of ideas. Any suggestion what I did wrong? Maybe it was something with this DNS Zone for .com ? Maybe there should be Zone, but not normal one but "stub zone"?
  I would be happy for any suggestion.

  " suspect we may have a basic mis-understanding of what each of us is trying to say.  Let me try again. 
  There are (at least) three ways to reach a LAN computer from the internet with Essentials.  Remote Web Access, direct RDP and VPN.  There are also third party solutions, such as Go To My PC and Log Me In.  The third party type
  usually involve a subscription model with recurring charges, the others may involve a fee for SSL certificates, but they are (usually) much less expensive and do not rely on a third party."
  Yes, i can agree we difinitelly had problem with mis-uderstanding so, sorry for that. I was talking about direct RDP to my server because Anywhere Access is already configured (but remote desktop from there to server opened only Essential Dashboard, that's
  why i left this solution). Also, like i said, i'm aware of risks and i'll
  take responsibility for that.
  "Direct RDP is configured at the router and points the port (3389, but it can be changed) to the IP of the device you want to contact.  then, simply opening the RDP applet on your remote computer and typing in the public IP of the router/firewall
  will automatically connect you to the chosen computer.  This is a very high security risk and should be avoided when ever possible."
  Here is double facapalm for me - when you wrote about 3389 TCP port, i got enlightenment that i didn't do that (because i ealier tried to work on 443 with Anywhere Access and forgot about it), also information i got after tries to connect weren't usefull neither
  - because Windows gave me back information about wrong FQDN, i was strictly focused on that problem, but like we know now, problem was in much different place. When i opened that port, everything started to be like i wanted (i also find out, after testing
  RDP client from remoteapp in web menu that why i'm using this when i want to used direct RDP anyway). So much facepalm.
  Next thing for now will be different port then 3389 and in future, VPN instead of direct RDP.
  Anyway, really, thanks for help!

• Create a certificate for non domain-joined PCs

  We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
  PCs look to the CA to get their trusted certificate from.
  This is the issue I am encountering:
  Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
  However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
  "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
  "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

  It sounds like the question you are really asking is :
  How do I designate the internal root CA as a trusted root CA
  Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
  This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
  Run Certutil -addstore CA IssuingCA.crt 
  Brian

• Preparing new Certificate for Exchange - how to cover the .local domain names

  I need to plan out our new certificate for our CAS servers. Exchange 2010 SP3. Our current SAN certificate has several names including our Exchange FQDN's which are exserver.domain.local. I know our CA will not let me generate SAN's with a .local anymore
  so how do I cover the Exchange internal FQDN's in the certificate? 
  I did a get-exchangecertificate and the only certificates I have are the public CA with all the SAN's and Services are IP.WS. The other two Exchange certificates are self signed but only for SMTP "S".
  You can only have one certificate for web services "W" so how do you get around the Exchange FQDN? Our internal autodiscover, availability and OOF etc....that Outlook uses all use the Exchange internal FQDN of servername.domain.local.
  Even if I generate another Exchange certificate for the server FQDN and submit it to our internal CA, I cannot enable web services on this certificate because my public certificate is already enabled for web services.
  Need some help here. I am really stumped on this one.

  Hi Shadowtuck,
  It is suggested to post in the Exchange forum:
  https://social.technet.microsoft.com/Forums/en-US/home?category=exchangeserver
  In addition, hope the link below could be helpful for you:
  Global changes in legislation regarding SAN SSL Certificates
  http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Certificate error on Outlook 2013 clients, Outlook 2007 clients do not get certificate error, Exchange 2010, dot local domain name

  Hi
  I'm looking for a solution that I can't seem to find.  I have an Exchange 2010 server running in a dot local domain (domainname.local), so my SSL certificate is installed using the servers external email DNS name.  email.mycompany.com
  I have followed the instructions to resolve this on the Exchange server, implemented the changes so autodiscovery sees the server as email.mycompany.com.  This works great for my Outlook 2007 users.  The downside is that none of my Outlook 2013
  clients can access their email without the certificate error server name mismatch.  
  I know Outlook 2013 has tighter security but I need to get rid of these cert errors, any thoughts out there?

  Hi,
  Since both your Outlook 2007 users and Outlook 2013 users are using Exchange 2010 with the same server configuration, it should be working in both Outlook client version.
  Please restart your IIS service by running IISReset /noforce from a Command Prompt window in Exchange to have a try. In Outlook, please re-create a Outlook profile to check whether the issue persists.
  Regards,
  Winnie Liang
  TechNet Community Support

• Expired certificate for IIS services. I need to get this renewed for servername .Domainname.local

  The sbs2011 Server is not longer receiving external emails.  I have a expired certificate and need to get it renewed correctly.....but I'm unsure of all the choices it asks for.
  Need some help here.

  Open Exchange power Shell and type
  Get-ReceiveConnector | FL
  Share the details.
  Also, Basic troubleshooting first :
  So if you do telnet from external machine to port 25 on server do you get a banner?
  telnet remote.domain.com 25
  It should return something similar :
  220 servername.domain.local Microsoft ESMTP MAIL Service ready
  You can do a telnet on the server itself and one from the outside and compare, if they are not the same or the router / firewall is routing to the wrong server or it is corrupting the response.
  Assuming its Self Assigned Certificate - To reissue Self Assigned Certificate follow :
  http://blog.the-it-blog.co.uk/2013/01/25/re-issuing-a-self-signed-certificate-for-exchange-sbs/
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Issuing certificates for user and clients from different forest/domain

  Hello,
  at first I would like to say that I have made some researches on this forum and in the Internet overall.
  I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
  Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
  Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
  now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
  What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
  I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
  see all templates which I should see, but when I try to enroll I got an error:
  (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
  My root CA cert is added to trusted publishers for computer and user node as well.
  What could be wrong? If you have any ideas or questions, please share or ask. 
  Thank you in advance.

  Everything is clear, I have Certificate Enrollment Web Services installed and configured,
  problem is what i get from certutil - TCAInfo
  ================================================================
  CA Name: COMPANY-HATADCS002-ISSUING-CA
  Machine Name: COMPANYClustGenSvc
  DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
  Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
  CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
   NotAfter: 2019-02-14 12:44
  Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
  Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
    Enterprise Subordinate CA
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 02:
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      ThisUpdate: 2014-02-14 12:16
      NextUpdate: 2024-02-15 00:36
      d7bafb666702565cae940a389eaffef9c919f07a
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 11:55
    NotAfter: 2024-02-14 12:05
    Subject: CN=HATADCS001-COMPANY-ROOT-CA
    Serial: 18517ac8a4695aa74ec0c61b475426a8
    b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  Exclude leaf cert:
    5b309c67a8b47c50966088a4d701c8526072c9ac
  Full chain:
    413b91896ba541d252fc9801437dcfbb21d37d91
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Supported Certificate Templates:
  Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
  Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
  Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
  Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
  Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
  Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
  Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
  Validated Cert Types: 7
  ================================================================
  COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
    Enterprise Subordinate CA
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Online
  CertUtil: -TCAInfo command completed successfully.
  please put some light on it because it's driving me crazy :/
  Thanks in advance
  one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

• Work folders - certificates with .local domain

  Hello,
  We'd like to deploy Work folders in our domain.local environment.
  Technet states that the certificate name should be the public URL workfolders.domainname and that for every file server a SAN needs to be listed. I was wondering how we need to implement Work folders as you can't add local server names anymore to public certificates.
  For us, the public URL would be workfolders.company.eu and the server name is fileserver.company.local. Anyone already built a setup like this?

  Hi Bram
  Here is what i did.
  in the situation, you have mydomain.local as your domain, but mydomain.com as your normal pubic domain.
  I added workfolders.mydomain.com to my public DNS as an A record and point to the IP of that record to  the gateway of my internet on my local server.
  In my case, my local server would have been server.mydomain.local. I created a new zone in my AD DNS server called workfolders.mydomain.com. in there i create a blank A record with the ip of my local server.
  in my router i portfoward port 443 to my ip of server.mydomain.local.
  In IIS managament of the local server create a certificate request for workfolders.mydomain.com
  obatian an SSL certificate for workfolders.mydomain.com from a place like godaddy.com and install in IIS and bind to port 443. You should only have the IIS core web services installed and NOT the full IIS.
  when you setup workfolders on the clients, choose to enter an address and type https://workfolders.mydomain.com.
  When you are local and you ping workfolders.mydomain.com it should point to the local server because of the A record you created local.
  When you are out of the office, the public domain will then route to your server via your router and find the server.
  This has worked for me and all syncs fine both local and over the internet

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How do you organize multiple mailboxes for each accepted domain with the same local part?

  Let's say we are aceppting emails for the two domains wine-and-cheese.com and beer-and-pretzels.com.
  I plan to create two mailboxes [email protected] and [email protected]
  By default, the local part of the SMTP address uses the alias, which is the same as the sAMAccountName. Since I cannot have two AD users with the same sAMAccountName, I choose to name them "info-wine" and "info-beer". The result is, that
  I have two mailboxes with the address [email protected] and [email protected], respectively.
  One thing I could think of would be to manually add [email protected] and [email protected] to the corresponding mailboxes. I prefer to avoid anything that has to be done manually.
  Another idea, that involves manual editing is, to change the aliases of both mailboxes to "info", but that results in having the second mailbox create the SMTP address info2@….
  I am very interested how you handle those situations, particularly in bigger companies with more than 50 employees and 75 mailboxes.

  Hi ,
  Alright , based on my knowledge i have given some points please have a look in to this.
  Step 1 :
  Please create the first user account on AD in the below format.
  info as the first name in AD
  wine as the last name in AD
  Then please create the second user account on the AD in the below format.
  info as the first name in AD
  beer as the last name in AD
  Step 2 :
  Then you need to have the email address policy with the custom type attribute which should apply the email address based upon the first name.So that all the email address will have the first name (i.e ) "info" on the prefix.
  Custom type attribute should have to be like
  %[email protected]
  %[email protected]
  %[email protected]
  %[email protected]
  Note : The custom type attribute which is created first will be the primary address for all those mailboxes.In the above example
  @wine.com will be the primary smtp address for those mailboxes .In case if you want some set of mailboxes need to have the suffix @wine.com as the primary smtp address and some set of mailboxes to have the suffix @beer.com as the primary smtp
  address then you need to create the separate email address policy with rules.
  Reference Link : 
  https://technet.microsoft.com/en-us/library/bb232171(v=exchg.150).aspx
  Please reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• How to disable checking for sites security certificates

  I work in a company which manipulates its server in a way to make all unwanted sites look like not having a valid certificate so when I try to open them like gmail site I get a message that this site doesnt have a valid certificate and firefox - or any other browser- dont open the site. The question is: how to disable this feature in firefox to stop looking for sites certificates or doesnt care about them?

  Exporting a root certificate in another browser would only be helpful if it did work in that browser.
  If it happens in other browsers as well then it would be of any help.
  I'm not seeing the button to add an exception as that would allow to inspect the certificate in the Certificate Manager.
  Is that specific page opened in an (i)frame?
  If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".

• Any applicable\recommended Group Policy settings (Local & Domain) for configuring windows 8.1 "gold master image" for collection

  Happy Friday everybody -
  I'm working on implementing Microsoft RDS 2012\VDI for the folks here at work.  I've read - online - a lot of articles on VDI and RDS 2012 - and have a working model that is working somewhat satisfactorily.  I haven't seen much online about steps
  I could take in Local Group Policy on my Windows 8.1 'gold image' - or for that matter Domain level group policy - that can assist in creating a better, more reliable/robust Windows 2012 VDI environment.
  Anybody out there got any information or opinions or advice on Group Policy settings for VDI environments?
  Thanks again, everyone!
  Adrian
  anr

  Hi Adrian,
  Thank you for posting in Windows Server Forum.
  In regards to your issue you can refer beneath article for detail information.
  1. Group Policy Best Practices for VDI Environments
  2.Some Basic Group Policy Settings for VDI
  Hope it helps!
  Thanks.
  Dharmesh Solanki