Certificates CNAME or Host (A) Record?

Similar Messages

• Certificate does not match a unique certificate on this host for the issuer

  Hey everyone!
  I've been working with a strange issue on my persistent chat pool. I added a pool to my current deployment, all of which went without issue, until I tried to connect to one of my chat rooms, where I was met with the infamous "Your chat room access may
  be limited due to an outage". The logs were filled with the following error
  "The persistent chat server can not establish or maintain MTLS connection to the Lync Server
  Reason String: RemoteDisconnected"
  When I went to renew the internal cert, I get the message:
  WARNING: "4f000000139c71d470b9a56af1000000000013" does not match a unique certificate on this host for issuer "CN=hosting-EXAD2-CA-1, DC=hosting, DC=email".The following certificate was assigned for the type "Default":Default:
  E1864894FD306300A16F301AA21446CF45F7ABD3 EXPCPOOL.hosting.email 02/16/2017 CN=hosting-EXAD2-CA-1, DC=hosting, DC=email 4F000000161F1E51F1F5EB8C57000000000016ImageWARNING: "Set-CSCertificate" processing has completed with warnings. "1" warnings
  were recorded during this run.ImageWARNING: Detailed results can be found at "C:\Users\administrator.HOSTING\AppData\Local\Temp\1\Set-CSCertificate-[2015_02_17][08_29_57].html".
  Any thoughts on this?

  Hi,
  Check this old thread
  https://social.technet.microsoft.com/forums/lync/en-US/3d569519-8a43-4cd2-b322-718ee575e140/lync-frontend-certificates-vanish
  https://guybachar.wordpress.com/2014/04/16/certificate-requirements-for-lync-2013-enterprise-persistent-chat-server/
  Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

• SPN - SMB connection with Host A record with Kerberos Auth

  I want to connect to a Share \\originalservername\share but I want to use a different hostname,
  It will be a new host (A record) added to the DNS it is not going to be a CNAME.
  Do I still have to set SPN for this Host A record? If so, would it be as
  setspn -r newhost
  Or would it be something like:
  setspn -a host/newhost originalservername
  If it is not required could you explain why?
  I want to use Kerberos authentication not NTLM 

  Hiya,
  I prefer using the setspn -s for registrating spn's, as it checks for duplicates.
  So in your case it would be;
  setspn -s host/<new name> <originalservername>
  setspn -s host/<new name>.<domain> <originalservername>
  example:
  setspn -s host/server1 server99
  setspn -s host/server1.contoso.com server99
  You need an SPN registrered in order to use Kerberos, therefore it is required.

• DNS Host(A) records disappear after a while

  Hi all,
  a few weeks ago we started to change the TCP/IP configuration of our printers from "static" to DHCP with reservations. The DHCP server is configured to register forward Host(A) and reverse PTR record on DNS on behalf of (all) clients, both are W2K3 with SP2.
  This works well for all our Toshiba printers/copiers and most of our HP printers. However, on a handful of HP printers the Host(A) record in the DNS zone get lost / disappeard after some time, leading into a non working name resolution. But only the Host(A) record, the reverse PTR record is still there. Currently we have this issue with  Business InkJet 2800 attached via a JetDirect J3258G to our network.
  In the past we noticed, that on another printer the Host(A) record re-appears after some hours, only to disappear after a while again. These intervals last some hours up to one day, but seem to follow no period or schedule, like DHCP lease time, DNS scavening etc.
  I have intentionally not "listed" all the technical details in this first post. However, if you need specific details I will be happy to share them.
  Any hint or comment is appreciated
  regards

  This is by design.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/afd3c338-1706-4898-b269-550c018073c0/dns-entry-for-dc-not-dynamically-updating-server-2008-r2?forum=winserverDS
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/ed97a286-d884-43d6-87e2-5cd5e59cfe9a/windows-2008-r2-domain-controllers-and-static-dns-entries?forum=winserverNIS
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• SSL Certificate common name (host name field) is incorrect

  When user open the Microsoft Office Project and connect to their PWA site, they will get the message "SSL Certificate common name (host name field) is incorrect".
  Which area that I look start looking at? The client computer or the server itself? The cert expiration date was still long way to go.
  teikboon

  What is the url user is accessing, hotname/pwa or mycompany.com/pwa
  Certificate is issued by using hostname or something else?
  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < |
  LinkedIn
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

• Cname domain hosting via mobile me

  Hello-
  I am trying to upload my iweb website to another domain name. I read the instructions on how to do so on my mobile me account and contacted my web hosting service and forwarded them the instructions. They followed the instructions and told me the cname was changed. Now when I "publish" my website it goes to the correct domain name but nothing is uploaded?
  Any suggestions on where to approach the problem from?

  If you are using MobileMe and CNAME, then no, you are not uploading directly. What you are doing is publishing your site to MobileMe and linking the two together.
  So you need to enter your domain name into your MobileMe account under the personal domain name settings firstly and then go to your domain name registrar and the DNS settings and set up a new CNAME that firstly forwards 'www' and @ to web.me.com and it should work.
  Anything else and you need to do things differently, but you are still publishing to MobileMe and forwarding your domain name to your website at MME.

• Maintain Sales Tax Exemption Certificate info in Customer Master Record

  Hello people!
  I really need your help in this one: we are going to implement SAP in a company settled in Canada. The users requested us that it is highly important to maintain Tax exemption certificate for GST (GST is "Goods and sales tax" -- not withholding) in the customer master record.
  I couldn't find anything in SAP to store this info in the Customer Master Record... have you ever had this issue before? is there a workaround? We are not using any external tax system (for example: Vertex). Any information is useful. Thanks in advance. Maria.

  Hi Maria,
  I was going through how GST works and I think you can create Tax codes under withholding tax and use the same as withholding tax.
  As per my understanding of GST, all your process can be met...
  However, for reports because there is no standard avail, you would need to develop reports..
  Hope this helps..
  Cheers,
  Redoxcube

• Help needed with certificates for RDS Host servers

  Hi,
  We currently have 4 RD Session-Host servers in our network. All four servers are member of a TS farm. We also have a TS Gatway server.
  I managed to give the TSGW server a certificate but I need your support on this on the RDS servers.
  What happens?
  When a user connects to the farm, a warning pops up telling me that the certificate is not issued by a trusted CA. This is because all RDS servers are using self signed certificates. Because the servers are farm members a user can be presented with this
  warning several times when the session is being redirected.
  How do I get rid of these warnings as well in our LAN as on the internet? What certificate type do I need?
  Thanks in advance.
  Jasper Kimmel

  Hi Jasper,
  What is your Server OS for your environment?
  Yeah, your all certificate related all warnings can disappear by purchasing the certificate from public CA. To access the farm outside the environment you can buy wildcard certificate. And yes, your all related queries be solved from the article provide in
  my previous comment.
  The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain.
  If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.  Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert
  In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.
  In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name.  
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If
  you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection. (Quoted from previous article).
  Apart there is one more article by Kristin, you can go through for reference.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].

• Creating a Host file record between two trusted domains?

  In each domain DNS, create a conditional forwarder for the other domain DNS server. That will resolve the issue. Keeping track of host files is an easy thing to forget and drop off the radar.

  I've got two domains that end users RDP between. Recently, we ran into a problem with a .bat file that was used to create and map a shared drive (for scanned images) failing. I speaking with the software vendor who created the .bat file, they suggested that I make an entry in the Host file for the specific end user who is having this problem since the issue seems to be DNS related (can not resolve the computer name to the IP address from the server that is being RDP's into). When I attempt to create the A record, it tags the home domain onto the end of the FQDN.Like this,Name: end-user-pc.domain.orgFQDN: end-user-pc.domain.org.hostdomain.comIP address: 10.0.3.3Where the domain that the end user's desktop resides is domain.org and the domina that the server being remote'd into is hostdomain.com.The hostdomain.com server is 08R2 and the...
  This topic first appeared in the Spiceworks Community

• Smart Hosts & DNS records

  Hi All.
  I hope someone could assist me as I have been struggling with mail flow issues for a long time.
  We have our own in house exchange server and internal mail as well as incoming mail is 100 %.
  We have always used our ISP smart host to send email and started getting email flow issues a couple of months ago.
  I then switched over to sending email via DNS. I setup the correct DNS records eg Reverse Lookup record and SPF records as i thought this might be an issue. I have also cleared our domain off one or 2 blacklists. (We had a user account compramised and spammers
  were using that account to send email)
  This is now all cleared up and general outbound email flow is going great, but once again we are now experiencing issues with all clients filtering with Mail Marshall.. Message as below:
  Your message did not reach some or all of the intended recipients.
  Subject:    Email
  Sent: 2014/09/16 09:02 AM
  The following recipient(s) cannot be reached:
  [email protected] on 2014/09/16 09:02 AM
  There was a SMTP communication problem with the recipient's email server. 
  Please contact your system administrator.
  <example.example.org.za #5.5.0 smtp;550 Message refused by MailMarshal SpamProfiler>
  Has anyone got any advice on what I can do. The failed report doesnt give much help. I have also sent an email with just text to see if maybe its the email signature but still
  no luck.
  I'm thinking of switching back to the ISP as a smart host but I'm not sure if the SPF and reverse DNS records would cause an issue now.
  Would our clients not look at the reverse and SPF record and see that the IP (ISP Smarthost) doesn't match our IP lised in the public DNS ?
  Much Appreciated.
  Shaun

  Hi.
  I contacted the support for Mail Marshal and they got back to me and sorted out the issue. It seems fine for now.. They were really helpful I must say.
  The response from them for anyone else with the same issue perhaps.
  Regards,
  Shaun
  Hi Shaun,
  It is not a blacklist exactly. SpamProfiler is run on a fingerprint (or pattern) basis. It scans the content of the email message and then acts accordingly to the fingerprints it finds. Due to emails containing your
  email domain being submitted as spam and/or mails you sent hitting honey pots, the fingerprint of your domain was flagged as a spam URL. Hence the recommendation to audit your mailing lists. So it was the pattern of the domain that was in the system. Unfortunately
  that is not something you can check on MX Toolbox, as Cloudmark (the company that provides the fingerprints for SpamProfiler) does not make their fingerprints publically available

• Create CName as an existing name of A record

  Hello all,
  Is there a way that I can create a Cname as an existing A record name?
  I got this following error message if I tried to create a cname.
  A new record cannot be created.
  An alias (CNAME) record cannot be added to
  this DNS name. The DNS name contains records that are incompatible with the CNAME record.
  I would like to do the followings.
  1) There is a print server, printserver01vm.
  2) I deploy a new print server, ps01vm, to replace the old one.
  3) To avoid for the users to remap all the network printers on their client PCs, I would like to create a Cname as like the current Print server name (printserver01vm) <a record>
  4) Cname will poin to the new print server (ps01vm)
  5) got the above error.
  If there is a better solution, please let me know. It would be appreciated.
  Kris

  Hi Kris,
  It seems like you have new print server fully up and running. If yes, then you can remove the old print server's host record (A record) and create alias (cname record) printserver01vm pointing it to new print server ps01vm.
  You want to uncheck "Register this connection's addresses in DNS" on your old print server so it will not try to re-register on DNS.
  And yes, you will not be able to create cname record if the A record exists with same name.
  MCP, MCTS, MCSE 2003, MCITP 2008, MCSA 2012
  LinkedIn: http://www.linkedin.com/pub/jatin-patel/25/90b/2a/
  Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"
  This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

• Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record

  Hi all,
  could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).
  P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address
  Thank you.

  What version ASA are you running?
  If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.
  object network PUBLIC_IP
    host 1.1.1.1
  object network REAL_IP
    host 2.2.2.2
    nat (inside,outside) static PUBLIC_IP http https
  Keep in mind that you will also need a NAT statement that maintains https to the server.
  Please remember to select a correct answer and rate helpful posts

• Bulk Import Static DNS Host Records?

  I have a text file with the hostnames and IP addresses for a large group of new computers that should have a static host entries.
  How can I import these into Server 2008 DNS without having to type them in one by one?

  Hello,
  You can achieve this using Powershell 3.0 if you have Windows Server 2012. Or you can install Powershell 3.0 on your Windows Server 2008 and perform the task. More information on:
  DNS bulk host (A) records creation
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Outlook 2007 security warning: " The name of the security certificate is invalid or does not match the name of the site" Article id 940726

  I am one of those suffering from the effects of new SAN certificate rules which will NOT support internal .Local domain names and netbios names.
  I have a simple single exchange 2010 std server in an AD domain mydomain.local and I am trying to use the Article id 940726 steps to reconfigure the exchange server. I have worked through the steps as described in the article and changed the service connection
  point object for the autodiscover service to reference my public host `mail.mydomain.com' and similarly with the ews internalurl etc. I have created a forward lookup zone on my internal AD DNS server and created a host (A) record for the external mail.mydomain.com
  to resolve to an internal ip address of the exchange (CAS) server. BUT I have not created an (A) record for autodiscover.mydomain.com because my understanding is that it isnt REQUIRED, however please correct me if I have misunderstood. I believe that domain
  joined outlook clients will use the SCP object servicebinding attribute to locate the autodiscover services. 
  After applying the changes and  recyling the MSExchangeAutodiscoverAppPool in IIS, I am struggling to understand why all my internal oulook clients (working perfectly before this change) are being presented with a windows security login box prompting
  for user credentials in the UPN format which we havent used before and isnt configured in AD. The windows security box is prepopulated with login name of `[email protected]' and I have not enabled upn logon format in AD always seen the domain\user windows
  login box.
  Test outlook email configuration fails the autodiscover tests with ...autodiscover.xml failed (0x80040113) httpstatus 503.
  Does anyone know what I have done wrong? Ofcourse if I change the SCP url back to the netbios server name.domain.local everything goes back to working as normal.
  I have searched high and low but cant seem to find a fix for this. I am beginning to wonder if the steps in article 940726 have been validated by anyone else in a similar scenario to mine.
  Any help will be highly appreciated.
  Trikz MCSE

  Hi Jason, Well, if it is doing that, it is most likely beccause your autodiscoverredirection.hostname.com also respond to port 443/SSL. So, what you need to do is to make sure that specific IP isn't responding to 443. The reason is this, 1. You first hit
  https://autodiscover.tenant-domain.com, which this is a CNAME to autodiscoverredirection.hostname.com. So, if autodiscoverredirection.hostname.com respond to 443, it will then give you an error. If it doesn, it will then move on to perform redirection right
  away and you will not get that prompt.Regards, Kip Ng - http://blogs.technet.com/b/provtest/