Exchange 2013 DNS for internal and external domain

Similar Messages

• Exchange 2013 not receiving internal and external emails ..

  I have a coexistence of exchange 2007 and exchange 2013 ..2013 mailboxes where able to receive and send mails (internal and external) but suddenly the mail flow has stopped. 
  Mail flow status
  2013 to 2007 = OK
  2013 to internet = OK
  2013 to 2013 = OK
  2007 to 2013 = FAIL
  Internet to 2013 = FAIL 
  incoming internet mails return the NDR below
  Diagnostic information for administrators:
  Generating server: mydomain.com
  [email protected]
  Remote Server returned '< #4.4.7 smtp;400 4.4.7 Message delayed>'
  What could be a possible reason for this? 
  Cheers guys ..
  ..forever is just a minute away*

  Hi Richard,
  Thank you for your question.
  When there is a coexistence of Exchange 2007 and Exchange 2013, external email will be sent and received by Exchange 2013.
  4.4.7 means message expired, message wait time in queue exceeds limit, potentially due to remote server(your Exchange server ) being unavailable.
  If your organization has correct MX record in ISP. We could refer to the following link to check if MX record is correct:
  http://technet.microsoft.com/en-us/library/aa998082(v=exchg.65).aspx
  If we could telnet Exchange server by the following command: telnet mail.domain.com 25
  If there is a receive connector on Exchange 2013 to receive Internet emails, we could create a receive connector to receive message from the Internet by the following link:
  http://technet.microsoft.com/en-us/library/jj657447(v=exchg.150).aspx
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim

• Non-Web Server Publishing Rule for Internal and External

  Hi there,
  I have a problem with my TMG and publishing SSH for Internal and External users to an internal Server.
  Network:
  Internal Network
  SSH Server, 10.10.10.25
  Internal DNS record "ssh.domain.com" pointing to 10.10.10.254
  TMG Server, 10.10.10.254/192.168.0.254
  External Network
  External DNS record "ssh.domain.com pointing to 192.168.0.254
  I want my users (internal AND external) using their SSH client to connect to ssh.domain.com and TMG to forward the request to the SSH server. Note that internal clients and the SSH server are in the same network.
  I have created a custom "SSH Server" protocol with inbound TCP for port 22 and created a Non-Web Server publishing rule.
  Traffic Tab: SSH Server Protocol
  From Tab: Internal, External
  To Tab: 10.10.10.25, original client
  Networks Tabs: Internal, External
  External users cann connect without a problem, all fine here. Internal users get a timout. The TMG Log says: Denied Connection (Default Rule,
  The policy rules do not allow the user request) and doesn´t recognize this is an inbound request. The log gives me dest IP 10.10.10.254 and protocol SSH and not 10.10.10.25 and SSH Server.
  I read a lot of networking rules and NAT/Routing, tried a bit but never got a success.
  Can you help me fix or working around this and tell me whats going on there and if there a limitations in TMG I don´t know yet?
  Regards,
  Sascha

  Hi,
  According to your description, it seems that request was denied by the TMG rules so the request from the internal users
  could not be forwarded to the SSH server. I would appreciate it if you can post the logs to us and the results of running ipconfig/all on the TMG server.
  In addition, maybe you can change the firewall policy only from
  External and add another firewall policy for the internal user to see if the issue persists.
  More information:
  Creating and using a server protocol
  TMG
  Back to Basics - Part 1: Server Publishing Rules
  Best regards,
  Susie

• Single URL for internal and external CRM access when using IFD

  Hello,
  At one of our client site I have setup IFD on CRM 2011. This IFD is behind TMG. My client is a big corporation therefore all CRM components including CRM, ADFS and SQL are on separate servers.
  I have configured IFD using single url https://orgname.contoso.com Their IT staff wants to know why can't they use single URL for internal and external access where internal users are nto prompted for authentication
  when logging on to the CRM server. I know you can do URL re-write in ADFS but they want to know the reason "why internal users can't use the same IFD URL and don't get prompted for their credentials". Text below is from their IT staff.

  There are several approaches to your question.  You need to set up both an internal and an external relying party trust. If you use the external URL, it will always direct you to the signin page, if you use the internal URL, it will resolve you single
  sign on.
  I've configured IFD for CRM multiple times, and this is how it works. CRM looks at the URL. If you use the external URL (org.domain.com), it will prompt for credentials. So what you are asking for, a single URL that works single sign on internally and prompts
  externally really isn't possible.
  What I recommend is:
  1. make the external URL available internally
  2. Configure all outlook clients against the external URL, that way you won't have to reconfigure when someone goes internal to external
  3. Have users who are primarily internal use the internal URL for the web client, which will resolve single sign on
  4. Have users who are primarily external use the external URL for the web client
  For #1, since you only need to enter the credentials when you first configure CRM, it is in all effects single sign on.
  One thing I haven't tried that may work is using IIS redirect internally to redirect the external URL to the internal URL. There is also a powershell script in the IFD guide that you can use to make the outlook client switch between the internal and external
  URL's, but nothing that will give you a single URL that works as the internal relying party trust when internal and the external relying party trust when you are external.

• Use Same URL for Internal and External Access for CRM 2015 IFD

  I have setup a CRM2015 server for IFD access.
  ADFS and CRM are on separate servers.
  CRM server all roles
  ADFS 2.0 server.
  Using the internal URL I am able to access CRM without entering my details (as expected)
  Using the external URL I am authenticated by ADFS as expected and can sign in.
  We have an internal domain domain.local
  We have an external domain domain.com (the certificate is for *.domain.com)
  We have a DNS zone created internally for domain.com.
  CRM URLs
  internal : internalcrm.domain.com
  External : externalcrm.domain.com
  I would like all users to use the same link regardless of them being internal or external, but I would like so that any user who is on the domain is automatically logged in without entering their username and
  password. What is the best way to do this?
  I have tried creating a cname record on the internal domain.com zone pointing externalcrm.domain.com to internalcrm.domain.com but that didn't work, I still get the ADFS sign in page.
  Thanks

  So fair warning, what you're asking for isn't really a supported deployment method of CRM.
  That said, you should be able to do some DNS trickery internal to your network that points your "crm.domain.com" to "crm.domain.local" and then hopefully CRM will treat the connection as if it came from an internal network.
  Otherwise, you're likely going to have to accept that everyone gets the ADFS login page internal and external to your network.
  The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

• How to Setup RDS custom property when internal and external domain name space is different

  Hi All
  I am setting up RDS for customer
  My internal domain name is domain.local and my external domain is domain.com
  I came across below PowerShell cmdlets on some blogs because my internal and external name space are different
  Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”
  In above command, remote.domain.com points to which host?
  Is it pointing to RD Session Broker
  OR
  Pointing to RD Session Host servers
  I am not sure what above command will do exactly ?
  Any help will be highly appreciated
  Thanks Best Regards Mahesh

  Hi,
  It all depends who is accessing the RDS Solution.
  If you have a large BYOD or large number of external users, it would be better to use a public certificate.
  Have a look at the following script which will simplyfy the configuration of the RDSH hosts with certificates.
  http://ryanmangansitblog.com/2014/05/20/rds-2012-rdsh-certificate-deployment-script/
  You can use a custom RDP property to hide the Session host names.
  Have a look at the following article on configuring certificates:
  http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• CRM2015 IFD Internal and External Domains

  I am trying to setup CRM2015 with IFD. My internal domain is xr.local and external domain name is somethingelse.com. When going through the directions and searching through the forums I see similar questions regarding with no real information on the possibility.
  Am I able to set this up to support 2 different domains and where might I find some guidance to do so?
  Thanks...
  GY

  Hi David,
  Yes. the above setup should "do the trick" as the servers you put with blank DNS entry should be excluded in the NRPT table.
  You can confirm this by running at the client: netsh name show polocy
  at command line and see something like:
  Settings for da.domain.com
  Certification authority                 :
  DNSSEC (Validation)                     : disabled
  DNSSEC (IPsec)                          : disabled
  DirectAccess (DNS Servers)              :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (Proxy Settings)           : Use default browser settings
  Settings for .domain.com
  Certification authority                 :
  DNSSEC (Validation)                     : disabled
  DNSSEC (IPsec)                          : disabled
  DirectAccess (DNS Servers)              : 1234:1234:1234:3333::1
  DirectAccess (IPsec)                    : disabled
  DirectAccess (Proxy Settings)           : Bypass proxy
  So in this scenario the .domain.com is using the DA while the specific entry (da.domain.com) is set as exclude and have emptry DNS ...
  Hope this helps,
  Ophir.

• Using Mac Mini server, DNS, static IP, and external domain name

  Greetings!
  I need to know the direction to take in order to use my domain name for the great features offered in the mac mini server, while having local and public access to my server with security.
  I am trying to do the following on my new mac mini server:
  -Set up DNS (myserver.private)
  I have a static IP I want to use for all this with my ISP
  -ftp access
  -ichat ([email protected])
  -email ([email protected])
  -ical etc. ([email protected])
  -my work website(mydomain.com) with public access!
  -host websites(other domains)
  I need to know the direction to take in order to use my domain name for these features. I have a domain name with godaddy, and I am happy with keeping it with them, however, how to I make my external domain name work on my private server with public access is the question?
  Thank you,
  Daniel G

  [Read this|http://labs.hoffmanlabs.com/node/1436] as a start; you're basically going to decide if you want to use NAT or not; if you have enough public static IP addresses to avoid the disaster that's NAT. If you want to use NAT (and few reasonable folks want to, but sometimes we have to), then you get to run your own DNS services internally, and establish public DNS and power-forwarding at a (preferably server-grade) firewall. With NAT, you end up with split DNS, and that's covered in the cited document.
  ps: it's easier to [use sftp|http://labs.hoffmanlabs.com/node/942]; while that shares three letters with ftp, it avoids most of the problems of ftp.

• Reverse proxy for internal and external

  Hello,
  BM1 is our main BM3.9 Box. I have reverse proxy configured for webaccess and to release emails from our spam filter externally (this works). This BM server also is our external DNS, and our default route for Internet traffic.
  Another BM box is our internal DNS.
  I need to modify BM1 config to enable client internally to release emails from our spam filtering software. The error issued is 504 Gateway timeout.
  Do I just add the internal ip address to the BM1 accelerator entry meaning that the same accel will listen for both internal and external addresses ?
  Any help is appreciated
  Regards
  Brian

  bdavis97,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Different MOH for Internal and External Calls

  Is it possible to have a different MOH source for internal vs external calls.
  I know that Network MOH is for transfering but can this be used for external MOH source from the PSTN?

  There's really no way to do this easily. The issue is that the call to a PSTN phone would flow through a gateway and if an IP phone put this call on hold, then the Audio Source configured on the IP phone would determine the MoH file/source and the MRGL of the gateway would determine which MoH server it actually came from. As a result, there's really no way that the IP phone placing the call on hold could specify a different audio source for an internal call (to another IP phone) because even if the other phone has a different MRGL (and therefore a different MoH server), the MoH audio source will be the same

• Exchange certificates and services setup for internal and external clients access on separate domains.

  I have the following on my local network.
  Server DomainA -> Small Business server 2003/Exchange 2003
  Server DomainB -> Windows 2008 R2/Exchange 2013
  Clients Domain A ->  Windows XP/Outlook 2003
  Clients Domain B -> Windows 7/Outlook 2007/2010
  Problem:  I want clients from DomainA to log into Exchange on DomainB on the same local network.
  I need to know how to setup the DNS on both domains and the certificates on the DomainB Exchange server
  to accept the connection from the PC on domainA.   All connections from clients on domainB to server on domainB
  work correctly but when adding accounts to Outlook 2003/2007 on domainA clients I am getting certificate errors.
  I have purchased certificates for mail.domainb.com and autodiscover.domainb.com but I dont know how to get 
  the clients on domainA to recognize those external URL's of the exchange server (with the certificates bound to them) from the internal network. Hence I get domain errors.
  I am getting issues when a client on DomainA tries to add an Outlook mail profile to connect to the Exchange on DomainB
  Any suggestions on how to set this up?
  thanks

  Domain A & Domain B are two separate AD Forests?
  Users in Domain A either need mailbox-enabled user accounts that are in DomainB or a linked mailbox in Domain B to utilise the Exchange Server in DomainB. In either case with the help of the autodiscover service user can use the services in ExchangeB. 
  If the client machines are member of domainA and you are trying to access ExchangeB you will then need to leverage a custom XML file for autodiscover and force the Outlook client to use this file. 
  <?xml version="1.0" encoding="utf-8"?> 
  <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> 
    <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> 
      <Account> 
        <AccountType>email</AccountType> 
        <Action>redirectUrl</Action> 
        <RedirectUrl>https://autodiscover.domain.com/autodiscover/autodiscover.xml</RedirectUrl> 
      </Account> 
    </Response> 
  </Autodiscover>
  Then you need to configure the client machine to query that XML file by adding the following registry key:
  Refer to XML file
  for Outlook 2007:
  HKCU\Software\Microsoft\Office\12.0\Outlook\Autodiscover
  for Outlook 2010:
  HKCU\Software\Microsoft\Office\14.0\Outlook\Autodiscover
  STRING_value <your_namespace> = path to XML file
  you can find more information in the following link.
  Controlling Outlook Autodiscover behavior
  http://blogs.technet.com/b/kristinw/archive/2013/04/19/controlling-outlook-autodiscover-behavior.aspx
  CK

• Same internal and external domain names - AGAIN!

  Hi all-
  Like many of you, I am confronting the problem of having the same FQDN for both my Active Directory domain and Internet domain.  For the sake of discussion, let's call the domain rlh.com.
  I need to access an externally-hosted website on the rlh.com domain.  The site is coded exclusively to use rlh.com and NOT
  www.rlh.com.  Therefore, the old trick of adding a static www A record on my internal DNS server will not work.
  It looks like another option is to install IIS on my DC and then configure some type of forwarding to the external site.  While this might work, frankly, I don't want IIS on my DC.  It's a DC, not a web server.
  Yet a third option, correct me if I'm wrong, looks to be using some type of "split DNS."  Though I have not read the particulars (yet) of this solution, I am suspicious of it causing DNS inefficiencies.
  All of these solutions look to me to be workarounds.  I am preparing to install a new DC (upgrading from 2003 to 2008 R2) and want to FIX the problem, not work around it.  That said, it looks like I have two options:
  1.  Rename my existing 2003 AD domain using rendom
  2.  Install the new 2008 R2 DC with the new domain name, setup domain trust between the old and new domains, and then use ADMT.
  Can someone please comment on my logic here?  Does anyone have experience with both of the two options?  Is one less painful than the other?
  As I preparatory step, I have migrated from my onsite Exchange 2003 server to Office 365.  Exchange is no longer present in my organization, though some slight "remnants" may remain in Active Directory.  Other than Exchange, I have a
  Hyper-V host, 2 SQL Servers, and 3 RDS servers present in my environment.
  Thanks.

  I realized this was answered, but I would like to add the following comprehensive blog on this subject.
  Can't Access Website with Same Name (Split Zone or no Split Brain)
  Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM  1278  0
  Note - In an AD same name as the external name (split zone) scenario, if you don't want to use WWW in front of URL, such as to access it by
  http://domain.com, then scroll down to "So you don't want to use WWW in front of the domain name"
  http://blogs.msmvps.com/acefekay/2009/09/03/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Lync Implementation with different internal and external domain sync

  Hello Experts,
  Having Windows 2012r2 with Lync 2013 frontend and Edge 2012 server on Win2012. Internal domain name is test.local and Internet domain name is : tgroup.com. Internally all the clients are able to sync with frontend
  server using [email protected] or [email protected] Internal CA and External Digicert works fine. But only problem is with external clients who want to communicate through edge server. 
  Edge server has 3 LAN ip address (nat with public IP), 10.10.10.2, 10.10.10.3, 10.10.10.4 and another Internal network interface which has ip 10.10.20.3
  which uses that to communicate with front-end. 
  How to achieve this ?  We dont have reverse proxy configured and we have only two servers. 
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  The reverse proxy is used to publish URL's like the meet and dialin url, the address book url and the lync mobile client (smart phones and tablets) urls. This doesn't impact the external desktop user access as thats via the edge server. There is more to
  it than that but for the sake of keeping this simple lets stick to that for now.
  As far as SIP domains go. Think of your Lync users as having a SIP address similar to email addresses. You wouldn't have a user with an internal email address but with a different external email address. In fact best practice is to have the Lync SIP address
  match the email address.
  My reccomendation is to use the ttgoup.com as a sip domain and not the test.local
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Exchange 2013 SMTP Mail Flow from external domains

  I have query related to mail flow for incoming mails from external domains from Internet facing site. There are two sites - Site A & Site B. Both have Exchange 2013 CAS servers in NLB and Exchange 2013 Mailbox in individual DAG - say DAG1 in Site
  A and DAG2 in Site B. Site A is Internet facing site and site B is not Internet facing.
  An incoming Internet mail meant for recipient in Site B will land in Exchange 2013 CAS server in Site A. This CAS Server in Site A will look for the recipient in local Domain Controller and get to know the mailbox database of this recipient is in DAG2 (
  in site B ) Will the FET service in EX2013 CAS in Site A make a SMTP connection with FET service of EX2013 CAS in site B which will then make SMTP connection to EX2013 Mailbox server in Site B which is holding the recipient mailbox Active copy for delivery.
  OR
  EX2013 CAS will send this mail to Ex2013 Mailbox server in site A and the Hub Transport service running in in site A will then make SMTP connection with EX2013 Mailbox server in Site B which is holding the recipient mailbox Active copy
  Need clarification on above
  Thanks
  Parveen

  Hello,
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  I'm marking the reply as answer as there has been no update for a couple of days.
  If you come back to find it doesn't work for you, please reply to us and unmark the answer.
  Cara Chen
  TechNet Community Support

• Outlook 2013 - Exchange 2013 - Prompts for username and password when EWS basic authentication is enabled

  So we have an Exchange 2013 environment, and a CRM solution that requires basic authentication to EWS internally.  Problem is, after a reboot of our Exchange server, all of our Outlook clients begin prompting for username and password (which nothing
  works) which also starts locking users AD accounts out due to failed login attempts (somehow).  If I disabled basic authentication on EWS, Outlook authenticates as normal using NTLM and there are no issues.  Once Outlook has authenticated, I can
  turn back on basic authentication, and Outlook will be fine until the next time the Exchange server is rebooted.
  Any ideas?

  Hi,
  According to your description, I understand that Outlook client prompted for username and password when Exchange server restart and basic authentication is enabled for EWS.
  If I misunderstand your concern, please do not hesitate to let me know.
  It’s normal. This caused by the difference between basic authentication and NTML authentication:
  Basic, with any version of Outlook prior to 2010, results in a pop up dialog asking for creds. Outlook 2010 makes the 'save this password' actually work, so in an Outlook 2010 or later world, Basic can mean no need to authenticate every time you open/reconnect,
  but in all earlier versions, you will have to enter creds every time.
  NTLM, when used by a client that is domain joined and logged in with cached creds, results in the client simply sending the cached in creds to the server, resulting in what looks like a pretty seamless single sign on experience. However, if you want to do pre-authentication
  at something like TMG, and not let the traffic go all the way to CAS, you need to configure TMG for this.
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support