Exchange 2013 SSL Headaches

Similar Messages

• Multiple Exchange 2013 SSL Certificates & Web Services URLs

  I have two Exchange 2013 CU5 Standard servers in a DAG.  Both servers have both the CAS and Mailboxes roles installed.  
  The servers are running Server 2012 Standard.  The DAG uses a file share witness server.  
  The witness server and one Exchange server, which is usually the active server, are on the same subnet in our primary data centre. 
  The second Exchange server is on a different subnet in our backup data centre across town.
  The domain that these servers are in is part of a forest with another domain. 
  That domain is, physically, in another jurisdiction.  The domains share a namespace. 
  All users in both domains have username at name.com as their e-mail address.
  The other domain has two Exchange 2013 servers in a DAG.  It also has one Exchange 2007 server, that is being phased out. 
  All messages that my domain users send to external recipients pass though the Exchange servers in my domain, a firewall for my domain, an Internet connection, a firewall in the other domain, the Exchange servers in the other domain, the firewall for
  the other domain, and then out to the external recipients.  The reverse path is followed for inbound mail from external senders. 
  All ActiveSync traffic for my users passes through the Exchange servers and a proxy server in the other domain. 
  I have a self-signed SAN certificate on the Exchange servers in my domain. 
  That certificate is also deployed on all of the mobile devices that my users have.
  I have been asked to see if I can set things up so that a test user can send and receive e-mail with their mobile device, and have that traffic go from my Exchange servers, through the firewall for my domain, and out to external recipients. 
  Due to a lack of test systems, I have been asked to develop this on my production servers, without disrupting the existing mail flow. 
  Is that possible?  What would need to be done to accomplish this? 
  If the test is possible, and successful, my Exchange servers, and all other relevant systems, would be changed so that all mail traffic from my domain no longer goes through the other domain.

  You could set a test send connector for @outsidedomain.com to use your Exchange servers as source servers, and make sure you have at least one reverse DNS entry (PTR) in place for whatever IP your external firewall presents to the world for the Exchange
  servers. This is critical in order not to have the rest of the world discard your emails (spammers usually fail the reverse DNS name).
  For incoming traffic, you could use a DNS domain that you own and that's not in use currently (eg oldcompany.com belonging to someone your current employer purchased) and have an MX record for this pointing to the public IP address(es) of the published Exchange
  servers.
  However mail routing cannot be done to work one way with mobile devices and another way with Outlook. In this case both ActiveSync and Outlook are simply interfaces to send/receive emails using your common SMTP infrastructure. So once configured for the
  test as above, both ActiveSync, Outlook, OWA, EWS clients will send/receive emails in the same way. In the example above - anyone sending to @outsidedomain.com, regardless it's the users hosted on your Exchange servers or the ones in the other domain, will
  be sent using the new route.

• Exchange 2013 autodiscover finds external & internal SSL certificate causing autodiscover to fail

  <p>Hi:</p><p>I'm currently working on a windows 2012 server, with exchange 2013, lets say our internal domain is "cars.com" and ALSO the case for&nbsp;our external domain. We have purchased an SSL wildcard positive certificate
  *.cars.com so that we could configure Outlook Anywhere, we have created the needed DNS records at godaddy and our internal server, OWA, ECP it all works if you go to&nbsp; <a href="https://bird.cars.com/owa">https://bird.cars.com/owa</a>
  because we have a DNS record for bird in godaddy and out local server, so all of that is working like a pro ! here comes the tricky part, our website is registered in godaddy but hosted by someone else a company called poetic systems; when we test the connection
  with the remote connectivity analyzer website we get a very peculiar error that says SSL certificate not valid, now it provides the name of the certificate it found and is not ours, we found that the hosting company is listening in port 443, therefore, it
  is pulling their self signed certificate also, does anyone have a fix for this, I have done this same setup before for other companies and this is the first time a situation like this happens. I REALLY NEED HELP !!!!!</p>

  Hi,
  According to your description, there is a certificate error when you test Outlook Anywhere connection by ExRCA.
  If I misunderstand your meaning, please feel free to let me know.
  And to understand more about the issue, I’d like to confirm the following information:
  What’s detail error page?
  Check the Outlook Anywhere configuration: get-outlookanywhere |fl
  Check the certificate : get-exchangecertificate |fl
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• How can i publish owa on exchange 2013 without ssl?

  hi
  i need connect to owa on exchange 2013 without ssl.
  but when i change config from https to http. my iis return internal error.
  can anybody tell me switch from https to https step by step on exchange 2013?
     regards

  Check out http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx#OWA
  Bharat Suneja
  Exchangepedia.com | bsuneja
  This posting is provided "AS IS" with no warranties, and confers no rights.
  Please do not send email directly to this alias. This alias is for newsgroup purposes only.

• SSL error when trying to sync tasks to Exchange 2013

  I followed the documentation on setting up exchange 2013 and SharePoint 2013 for task synchronization. When I try to sync the tasks to outlook, i get an error telling me that the user mailbox on exchange may not support task synchronization. when i look
  in the ULS logs in sharepoint i see the following error:
  An operation failed because the following certificate has validation errors: Subject Name: CN=localhost.localdomain Issuer Name: CN=localhost.localdomain Thumbprint: 5D64E20B424D4A613288024734CAD805A1BD7B0E Errors: SSL policy errors have been encountered. Error code '0x6'..
  Problem is i don't know what certificate this is reffering to. Has anyone seen this issue before or can give me any advise on tracking down this certificate? the cn=localhost cn=localdomain is confusing to me.

  IsSelfIssuer                  : True
  NameId                        :
  [email protected]
  RegisteredIssuerName          :
  [email protected]
  IdentityClaimTypeInformation  : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
  Description                   :
  SigningCertificate            : [Subject]
                                    CN=Microsoft Exchange Server Auth Certificate
                                  [Issuer]
                                    CN=Microsoft Exchange Server Auth Certificate
                                  [Serial Number]
                                    608E9FC955BFE4984AAE55D83CA59A04
                                  [Not Before]
                                    12/4/2012 12:08:28 PM
                                  [Not After]
                                    11/8/2017 12:08:28 PM
                                  [Thumbprint]
                                    16C0746EE25DA6CC718BCCF297F8C6E70EFB0908
  AdditionalSigningCertificates : {}
  MetadataEndPoint              :
  https://ex-cas.domain.com/autodiscover/metadata/json/1
  IsAutomaticallyUpdated        : True
  Name                          : Exchange
  TypeName                      : Microsoft.SharePoint.Administration.Claims.SPTr
                                  ustedSecurityTokenService
  DisplayName                   : Exchange
  Id                            : 42563965-6ae1-4a71-a959-77510f5ab1a7
  Status                        : Online
  Parent                        : SPSecurityTokenServiceManager
                                  Name=SecurityTokenServiceManager
  Version                       : 935681
  Properties                    : {}
  Farm                          : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties   : {}

• SSL for Exchange 2013 with ARR

  Hi,
  Need advice on the number of SSL i would need to purchase.
  I know that I require to have a SSL with example: mail.domain.com & autodiscover.domain.com
  How about the ARR server that I will be setting up. Refer to http://social.technet.microsoft.com/Forums/exchange/en-US/fe8d1aae-a3c9-432a-a139-7b770cb07576/new-exchange-2013-setup-vmware?forum=exchangesvrdeploy
  do i need to have a SSL cert for the ARR server?
  Thanks in advance!

  Hi,
  Just like all above saying, we do not need to generate a new certificate for IIS ARR server. We can configure
  all protocols (OWA, ECP, EWS etc) published with the mail.domain.com
  namespace.
  When install IIS, we can export the Exchange certificate (from a CAS) and import the certificate to the local machine certificate store on the IIS Reverse Proxy, together with any required root or intermediate certificates. For more information
  about it, here is a detailed article we can refer to:
  Reverse Proxy for Exchange Server 2013 using IIS ARR
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  Thanks,
  Winnie Liang
  TechNet Community Support

• Exchange 2013 External Relay gives me a headache... Anonymous relay fail to external address

  I tried to set up external relay on my Exchange 2013 but was not able to do it. I don't know what else to do. I tried these:
  http://technet.microsoft.com/en-us/library/bb232021.aspx
  and these (which is pretty much same thing)
  http://www.shudnow.net/2013/06/04/how-anonymous-relay-works-in-exchange-2013/
  http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector/
  http://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/
  http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx
  But still no luck. Here is somewhat detailed description what I tried do accomplice. 
  Server which need  to send mail reports is sending these from web server on another location connected with site-to-site VPN to location server resides like on picture. I am able to send relay to all of
  addreses of local domain but when I tried to send mails to my clients to external e mail addresses exchange return me message unable to relay.
  Here is log from unsuccessfully operation
  Connecting to [smtp.mydomain.com] port [25]...
  220 smtp.mydomain.com Microsoft ESMTP MAIL Service ready at Fri, 24 Jan 2014 17:19:45 +0100
  >HELO webserver
  250 smtp.mydomain.com Hello [89.x.x.x]
  >MAIL FROM: <[email protected]>
  250 2.1.0 Sender OK
  >RCPT TO: <[email protected]>
  ERR: Received the following unexpected repsonse:
  550 5.7.1 Unable to relay
  >QUIT
  221 2.0.0 Service closing transmission channel
  Here is log from successfully operation:
  Connecting to [89.x.x.x] port [25]...
  220 smtp.mydomain.com Microsoft ESMTP MAIL Service ready at Fri, 24 Jan 2014 18:04:52 +0100
  >HELO webserver
  250 smtp.mydomain.com Hello [89.x.x.x]
  >MAIL FROM: <[email protected]>
  250 2.1.0 Sender OK
  >RCPT TO: <[email protected]>
  250 2.1.5 Recipient OK
  >RCPT TO: <[email protected]>
  250 2.1.5 Recipient OK
  >DATA
  354 Start mail input; end with <CRLF>.<CRLF>
  >From: Dane <[email protected]>
  >To: [email protected]
  >Subject: asd
  >Date: Fri, 24 Jan 2014 18:03:08 +0100
  >X-Mailer: Qm Version 2.1
  >MIME-Version: 1.0
  Content-type: text/plain
  >
  >test>
  250 2.6.0 <3ffb1fd6-e5e0-4232-9a6e-cac7b59db9df@exchange.mylocaldomain.local> [InternalId=6240587481093] Queued mail for delivery
  >QUIT
  221 2.0.0 Service closing transmission channel
  And here is picture:

  Hello,
  Thank you for your post.
  This is a quick note to let you know that we are performing research on this issue.
  Regards,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Using an SSL certificate for Exchange 2013

  Hi,
  I am not sure if this is the correct forum to post this question in.
  Basically we are migrating from Exchange 2007 to Exchange 2013. Our 2013 machines have both roles installed and do everything. They are configured in a DAG. We have no hardware load balancing/reverse proxy or etc. inside or outside.
  We use an alias of mail.domain.com to connect to OWA/ActiveSync and etc from the Internet.. this alias would point to mail1.domain.com which is the IP of the first Exchange 2013 server.
  If that server were to break, we would point the alias of mail.domain.com to mail2.domain.com which is the IP of the second Exchange 2013 server. Clients would not need any changes before they started connecting to the remaining mail server (eventually)
  and email would continue.
  I know this is not an ideal setup, but for now it is what we have and would keep us running in the event of server failure.
  My question is, when I request a certificate, do I need two of them with mail1.domain.com and mail2.domain.com as their primary and SAN of mail.domain.com OR do I request one certificate with mail.domain.com as the primary host and SAN of mail1.domain.com
  and mail2.domain.com (and install the one certificate on both servers).
  I want to include mail1.domain.com and mail2.domain.com as this can be helpful for testing and/or during migration.
  I hope that makes some sense and appreciate any help people can offer.
  Thanks!

  You do not need server names in the certificate if you are using mail.domain.com only in all of the URL settings.  You will want autodiscover.domain.com, however.
  Consider configuring a different internal and external name for Outlook Anywhere so that Outlook knows whether it is connecting from the Internet or internally.  For internal Outlook Anywhere, use a name that you don't publish to the Internet. 
  For example, use mail.domain.com for everything except internal Outlook Anywhere, use mailinternal.domain.com.  Put mail.domain.com, mailinternal.domain.com and autodiscover.domain.com in the certificate.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• On Windows 2012 Terminal Server Outlook fails to connect to Exchange 2013

  I have a new install of Windows 2012.  I have two physical servers.  One is a W2012 std Domain Controller ("DC").  The Second is configured as W2012 HyperV  ("HV").  Under HV I have
  two VMs.  One VM is W2012/Exchange 2013 ("ExchVM) and the other is W2012/Terminal Server ("VMTS").  All systems are behind a firewall appliance.  Exchange is working via Outlook and OWA internally and externally.  The self
  created SSL must be installed manually on external machines since it comes up as an untrusted certificate.  Once installed remote outlook works and OWA works.  I have configured the terminal server and I am able
  to login remotely as various users under my "TS group".  The problem is when ever I attempt to open Outlook for the 1st time, it fails to connect to the exchange server.   (Open Outlook 2013, click next
  on the splash screen, "Yes" Add an Email Account splash screen, click next, Auto Account screen populates NAME and Email Address correctly, click next, Searching for mail server settings..., check on establishing network connection, check on searching
  for alias@ domain, then fails the logging on to the mail server)  The error reads:  "Outlook cannot log on.  Verify you are connected to the network and are using the proper server and mailbox name.  The
  connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."   I am connected in RDS from offsite, and from the RD session I can access shared folders on ExchVM and DC.  I have
  tried have verified the server Exchange server name is correct via "Get=ClientAccessServer" command.  I have also tried to use the guid via "Get-Mailbox
  ALIAS | fl name, exchangeguid.  Keep in mind all desktop users on the network are connecting to Outlook without issue.
  I would appreciate any thoughts on solving this issue.

  Hi,
  According to your workaround, it seems that the Outlook Anywhere configuration in Outlook client is not correct when using the Autodiscover service.
  Once you connected to Exchange server by manually settings, please run Test E-mail AutoConfiguration tool in external Outlook client to check the autodiscover service:
  open Outlook - press CTRL key - right click on the Outlook icon from right bottom corner taskbar - Test Email AutoConfiguration. Put your email address - uncheck use guessmart and secure guessmart authentication - click Test to check your Autodiscover service.
  Please check the Log tab and confirm whether the Autodiscover service is connected successfully. Also confirm if the connection issue happens to all external users when they open Outlook for the 1st time. In Exchange server, please make sure
  autodiscover.domain.com has been included in your Exchange certificate which is assigned with IIS service.
  Regards,
  Winnie Liang
  TechNet Community Support

• Can't get OWA to work on Essentials 2012 R2 with Exchange 2013 on second server 2012 R2 std.

  I have previously with success setup a working solution with server 2012 essentials, and a second server 2012 std. with exchange 2013, I did it following this guide: http://technet.microsoft.com/en-us/library/jj200172.aspx
  Unfortunately I lost the server due to a cooling error which led to an un-repairable essentials 2012, since this was a new setup and also a test setup I didn't have any working backup solution setup at the time...tsk.tsk.
  Since I had to make a complete do over I chose to try out the new R2 server editions, and set it up following the same guide, when it came to this part:
  Download KB2732764 for ARR 2.5, and then install the update on the server that is running Windows Server 2012 Essentials.
  Copy the SSL certificate file for Exchange Server to the server that is running Windows Server 2012 Essentials. The certificate file must contain the private key, and it must be in the PFX file format.
  Note
  If you are using a self-issued certificate, follow the instruction in the Exchange Server article Export an Exchange Certificate to export the certificate.
  Open a command window as an administrator, and then open the %ProgramFiles%\Windows Server\Bin directory.
  Based on you installation scenario, follow one of these steps to configure ARR:
  If you are performing a clean setup, run the following command:
  ARRConfig config –cert “path to the certificate file” –hostnames “host names for Exchange Server”
  I noticed that the version of "Application request routing" had changed to version 3, so obviously I didn't need to dl the 2.5 update.. When I came to the part where I wa instructed to run arrconfig config etc. I noticed
  that the ARRconfig file no longer where placed where the setup guide indicated, I then went ahead and tried som manual configuration regarding certificates and such. In the end I have a working solution where Exchange and OWA is working locally but OWA isn't
  working outside my local domain, the link get's placed in the RWA and is indicating the correct link for the exchange server www.remote.clinten.dk I have a certificate which include to separate domain names aforementioned and remote.clinten.dk and
  I get no errors indicating certificate errors, when I try to connect to www.remote.clinten.dk/owa from outside I get a 404 error, and when I connect to www.remote.clinten.dk I get the RWA login screen for the essentials RWA. Obviously I need to set up something
  in ISS probably in the url rewrite section, but I can't seem to find the right setting.. Can someone help with this?
  Btw. I have found the missing arrconfig file in c:\windows\system32\essentials" and tried to run the command as described in the guide "ARRConfig config –cert “path to the certificate file” –hostnames “host
  names for Exchange Server”" but it doesn't seem to work, it just prompts with a guide for using the arrconfig command and examples of correct use, I also tried removing the "" from the guide, like this "ARRConfig
  config –cert path to the certificate file –hostnames host names for Exchange Server",
  when I ran it without the "" It didn't prompt me with anything nor did It indicate any errors, it did not however make my OWA work either..
  I am aware that exchange 2013 atm. isn't officially supported on the R2 server, but the exchange works fine inside my domain, and the pop3/smtp also works from outside, since this Is a test environment, using only my own private domain and not a company
  domain I figured it would be ok to run the risk.. ;)

  Hi
  found this on
  https://social.technet.microsoft.com/Forums/en-US/1f099068-b3ed-44f3-a8c4-c22d760a8621/arr-broken-or-bad-syntax-exchange-2013-essentials-2012-r2?forum=winserveressentials
  "Ok just an update for anyone else how has this issue.
  The problem has been solved by Microsoft and I have included their findings below, but basically it comes down to a typo!
  I often use notepad to have all the commands I need on hand, and I must have copied the command direct from the TechNet article or other website and customised the required fields. The issue with this is one of the characters did not “convert” - for want
  of a better word. I should have retyped the whole command from scratch and it would have been right!
  Thanks for everyone’s input and for Microsoft for getting to the bottom of it.
  From Microsoft:
  We have tested on your environment and here is the investigation result from our senior engineer:
  ================================================================
  Basically the command fails due to invalid parameter, the invalid one is the ‘-‘. I think the one customer used is copied from the online document sample which translate to the unicode is 0x8211 means “en dash”, it
  can’t be input by normal keyboard, so I pretty sure it is from web (mostly HTML document).
  The one we check (compare) is ‘-‘ which has the code 0x45.
  So it always failed to compare the parameter and ARRconfig.exe thought it is invalid parameter.
  The solution is quite simple, just using keyboard to retype the command, using normal ‘-‘ and I have tried the password prompt shows
  Best Regards,
  Johnny Chen
  Microsoft Partner Support Community Technical Support Engineer
  Microsoft Global Partner Services"

• Unable to send to external email recipients - Multi Tenant Exchange 2013 - MultiRole servers in DAG

  Greetings all, I hope someone can help.
  I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
  Internal mail flow is fine (external email addresses can send to the domain).
  External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
  There are two multi-role Exchange servers that are members of the DAG.
  I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
  No SSL certificates have been purchased or installed yet.
  Exchange URLs have not been changed since default configuration at install.
  OWA and ECP works both internal and external.
  External DNS works with SPF and PTR records correctly configured
  Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
  Send Connectors are the default ones created during install. Receive connector is standard configuration with  - * - 
  When sending email to an external address, I receive a failure notice
  ServerName.test.corp.int gave this error:
  Unable to relay 
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
  More Info - 
  ServerName.test.corp.int
  Remote Server returned '550 5.7.1 Unable to relay'
  I have been troubleshooting this for many hours with no progress.
  I have created new Send Connectors for the server that is advising that it is unable to relay, but they have all failed.
  I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
  I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
  I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
  I am at a loss as to why I can't send out with the default configuration. I would assume that email would flow out without any changes, but this does not happen.
  Can someone please assist before I lose my sanity.
  Thanks in advance,
  Terry

  Greetings all, I hope someone can help.
  I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
  Internal mail flow is fine.
  Incoming mail from external senders is also fine. - 
  external email addresses can send to the domain).
  External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
  There are two multi-role Exchange servers that are members of the DAG.
  I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
  No SSL certificates have been purchased or installed yet.
  Exchange URLs have not been changed since default configuration at install.
  OWA and ECP works both internal and external.
  External DNS works with SPF and PTR records correctly configured
  Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
  Receive Connectors are the default ones created during install. Send connector is standard configuration with  - * - 
  When sending email to an external address, I receive a failure notice
  ServerName.test.corp.int gave this error:
  Unable to relay 
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
  More Info - 
  ServerName.test.corp.int
  Remote Server returned '550 5.7.1 Unable to relay'
  I have been troubleshooting this for several days with no progress.
  I have created new Receive Connectors for the server that is advising that it is unable to relay, but they have all failed.
  I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
  I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
  I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
  Even more info - Further troubleshooting -
  I found my one of my Exchange servers had an extra NIC. I have since added a second NIC to the other server, so now both Exchange servers have dual NICs. I removed the DAG cleanly and recreated the DAG from scratch, using this link -
  hxxp://careexchange.in/how-to-create-a-database-availability-group-in-exchange-2013/ 
  The issue still exists, even with a newly created DAG. I also found that the Tenant Address Books were not 'applied'. I applied them but still no resolution
  I think the issue is related to multi-tenant configuration even though the error says that it can't relay. The unable to relay message can appear when sending from a domain that the Organization does not support. Like trying to email as [email protected]
  when you domain name is apple.com - But through extensive research I still can't resolve the issue.
  Can someone please assist before I lose my sanity.
  Thanks in advance,
  Terry

• How can I script out automatic mail profile connection to Exchange 2013

  We use a program called Desktop Authority 9.1 that is a fully featured kixstart based logon user profile customization tool.  It does a full gamout of things like map drives, folder redirection, import registry edits, run silent application installers,
  and of course create the Outlook profile.
  There's no issues with this tool creating an outlook profile internally to mail.domain.com, and even detecting laptops and configuring it for outlook anywhere to webm.domain.com and cached mode.
  Issue I'm having is trying to roll out Exchange 2013.  This tool simply does not seem to create the mail profile.  On a test computer I have the hosts file pointed to the new 2013 server from these names: webm, mail, autodiscover.  At log
  on I simply get an error "The name cannot be resolved.  The name cannot be matched to a name in the address list."  When you click OK you get a little confusing dialog box with the exchange server name: mail  and the mailbox: windows
  user ID.
  So I tried to do this manually in the Mail (32-bit) control panel applet.  It doesnt matter if I put in mail, mail.domain.com, webm, webm.domain.com, email (the netbios name of exchange 2013), etc.. I get the same error.  I went into More settings
  > Connection > connect to microsoft exchange using HTTP and in the proxy settings I have webm.domain.com, connect SSL Only, only connect to proxy servers that have the name: msstd:webm.domain.com, and the rest is checked and NTLM Authentication is checked.
  I simply CANNOT manually create an outlook profile at all.  I can surely delete this one, start outlook, click next through the wizard taking all the default options and get Outlook configured that way (via Autodiscover service), but I need a way to
  do it manually so I can have Desktop Authority do it manually.  Why?  Two major reasons:
  1.  If our end users are greeted with an Outlook startup wizard every time they go to a different computer, and have to click next through it, our help desk is going to be overwhelmed with "what is this outlook startup wizzard?" questions.
  2.  Desktop Authority also attaches additional mailboxes.  We need the outlook profile passed through DA's scripting so different users departmental voice mailboxes are attached in their outlook.  IE) Mailbox VM_FAX_Accounting is attached
  to all of the accounting associates Outlook.

  Ok I found another way to get autodiscover to work..
  In Group Policy go to User Configuration > Administrative Templates > Microsoft Office 2010 (and 2013 in my case) > Miscellaneous > Suppress recommended settings dialog > Change to ENABLED.
  Now go to User Configuration > Administrative Templates > Microsoft Outlook 2010 (and 2013 in my case) > Account Settings > Exchange > Automatically configure profile based on Active Directory Primary SMTP address > Change to ENABLED.
  Now for the shared mailboxes,  I guess when we plan to migrate a department, their shared mailbox MUST be migrated from 2007 to 2013 on the same evening, and then we must go into that shared mailbox and ensure each individual user has "Full access
  permissions" to it.
  Now in Desktop Authority we publish this reg file: 
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\AutoDiscover\RedirectServers]
  "autodiscover-s.outlook.com"=hex(0):
  "autodiscover.outlook.com"=hex(0):
  "autodiscover.domain.com"=""
  [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover\RedirectServers]
  "autodiscover-s.outlook.com"=hex(0):
  "autodiscover.outlook.com"=hex(0):
  "autodiscover.domain.com"=""
  [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover\RedirectServers]
  "autodiscover-s.outlook.com"=hex(0):
  "autodiscover.outlook.com"=hex(0):
  "autodiscover.domain.com"=""
  Why that?  Well it turns out further testing when I added full permission to a new 2013 test shared mailbox, yet another nag screen was presented in Outlook which states "Allow this website to configure [email protected] server settings?  autodiscover.domain.com/autodiscover/autodiscover.xml
  - Your account was redirected to this website for settings.  You should only allow settings from sources you know and trust.  (Allow) (Cancel).  If end users see this, you can bet our helpdesk calls will be out of control.  We undergo security
  awareness training and they will question ANYTHING resulting in redirect or dialog boxes asking about trust, and really that's a good thing.
  That registry should I think handle Outlook 2007, 2010, 2013, and we will just have to maintain it for future versions.
  We maybe have, I dont know less than 5 Outlook 2007 installs and they are on spare laptops, so If I want to cover it all I just have to download the Office 2007 ADMX templates for Group Policy so I can change those two settings above as well.
  The other way I thought was to use powershell and script something out to pull from Exchange the GUID, append the @domain.com and put that into a variable that our Desktop Authority application can plug in at startup.  But thats a little too much custom
  programming whereas I think using GPO's and documented registry keys may be a better fit.
  I just have to do testing to figure out what's going to happen to the users profile if it already exists on 2007, then its migrated to 2013.  Will it be deleted?  Will they lose all of their signatures?  I know for many on network
  PC's they will be going from direct mapi connection to Cached mode.  Is that a good thing?  I would imagine less load on the server and network once the mail is downloaded.
  We would plan on a slow migration on a departmental basis.  Luckily our departments have their own user OU's so applying this group policy can be done in the same manor.

• Outlook can't connect with Exchange 2013 after migration from Exchange 2007

  <style type="text/css">P { margin-bottom: 0.21cm; }</style>
  Hello,
  recently we've done a Exchange 2007 sp3 to 2013 sp1. Users can conect perfectly with OWA and with his iphone clients.
  But the problem is they can't connect from his Outlook clients (2010, 2013), both internaly and externaly. Always fails with the message: The Connection to Exchange it is not avaliable.... Can't resolve the name of Exchange server.
  To try to resolve it we've done:
  - Check Outlook anywhere configuration en EAC: it is configure with and external url mail.company.com and internal server.domain.local. The security is the default Negociation, but we've tried all.
  - Check the internal dns, there are records for mail.company.com and exchangeserverdomain.local pointing to the exchange local ip. Also there is a public zone company.com with the record mail.caompany.com pointing to the exchange local ip. Also we've made
  records autodiscover.company.com and autodiscover.domain.local pointing to the exchange local ip.
  - In the public dns from our domain there is the record A and MX pointing our public ip. There aren't any record Autodiscover but we think that the manial conection should work.
  Check certificates: we've made a new self-signed certificate including all this internal and external domains and for all services.
  - Check Outlook Anywhere block: we've cheked.
  Currently server state:
  - Old Exchange 07 server can't start, it was in very bad state and we achieved migrate the mailbox to the new server, after that we tried to uninstall, but it crashes with a public folder replication error. We got uninstall all the roles
  unless the mailbox. After a restart it can't start.
  -The new Exchange 2013 looks great, there isn't any trail of the old server, or we haven't seen anything in the EAC or shell.
  I paste below the result of Microsoft Remote conectivity analaizer, with Outlook anywhere test. It is clear that there is a problem with that.
  Sorry because the test is in spanish and I translated it with google, from here I only can access the tool in spanish.
  We continue to try to resolve the problem.
  Thanks to all in advance!
  Testing RPC / HTTP connectivity.
  Error in testing RPC / HTTP.
  additional Details
  Elapsed time: 24295 ms.
  Test steps
  Connectivity Analyzer Microsoft is trying to test Autodiscover for [email protected] .
  Error in automatic detection test .
  additional Details
  Elapsed time: 24294 ms.
  Test steps
  Attempting each method of contacting the Autodiscover service .
  Failed to properly contact the Autodiscover service using all methods.
  additional Details
  Elapsed time: 24294 ms.
  Test steps
  Trying to prove possible Autodiscover URL https://empresa.com/AutoDiscover/AutoDiscover.xml
  Error in testing this potential Autodiscover URL .
  additional Details
  Elapsed time: 1509 ms.
  Test steps
  Attempting to resolve the host name in DNS empresa.com .
  The host name is resolved correctly .
  additional Details
  IP addresses returned : 80.36.252.194
  Elapsed time: 507 ms.
  Testing TCP port 443 on the host to ensure empresa.com listening or is open.
  The port was opened successfully.
  additional Details
  Elapsed time: 464 ms.
  Testing the SSL certificate to make sure it is valid.
  The SSL certificate is not exceeded one or more certificate validation checks .
  additional Details
  Elapsed time: 537 ms.
  Test steps
  Connectivity Analyzer Microsoft is attempting to obtain the SSL certificate from remote server on port 443 empresa.com .
  Connectivity Analyzer Microsoft successfully obtained the remote SSL certificate.
  additional Details
  Remote Certificate Subject : CN = mail.empresa.com , issuer : CN = mail.empresa.com .
  Elapsed time: 454 ms.
  Validating the certificate name .
  The certificate name was validated successfully .
  additional Details
  Hostname empresa.com was found at the entrance of the alternative subject name of the certificate.
  Elapsed time: 1 ms.
  Is validating the trusted certificate .
  Validation Error trusted certificate.
  Test steps
  Connectivity Analyzer Microsoft is trying to build certificate chains for certificate CN = ​​mail.empresa.com .
  Could not build a certificate chain for the certificate.
  Tell me more about this issue and how to resolve
  additional Details
  The certificate chain did not end in a trusted root . Root = CN = mail.empresa.com
  Elapsed time: 31 ms.
  Trying to prove possible Autodiscover URL https://autodiscover.empresa.com/AutoDiscover/AutoDiscover.xml
  Error in testing this potential Autodiscover URL .
  additional Details
  Elapsed time: 21723 ms.
  Test steps
  Attempting to resolve the host name in DNS autodiscover.empresa.com .
  The host name is resolved correctly .
  additional Details
  IP addresses returned : 46.16.56.40
  Elapsed time: 498 ms.
  Testing TCP port 443 on the host to ensure autodiscover.empresa.com listening or is open.
  The specified port is blocked , not listening or does not generate the expected response .
  Tell me more about this issue and how to resolve
  additional Details
  Network Error communicating with the remote host.
  Elapsed time: 21224 ms.
  Attempting to contact the Autodiscover service with the HTTP redirect method .
  Error when trying to contact the Autodiscover HTTP redirect method .
  additional Details
  Elapsed time: 606 ms.
  Test steps
  Attempting to resolve the host name in DNS autodiscover.empresa.com .
  The host name is resolved correctly .
  additional Details
  IP addresses returned : 46.16.56.40
  Elapsed time: 14 ms .
  Testing TCP port 80 on the host to ensure autodiscover.empresa.com listening or is open.
  The port was opened successfully.
  additional Details
  Elapsed time: 202 ms.
  Connectivity Analyzer Microsoft is checking the automatic detection of host empresa.com for an HTTP redirect to the Autodiscover service.
  Connectivity Analyzer Microsoft could not get a HTTP redirect response for Autodiscover .
  additional Details
  Web exception occurred because an HTTP 404 response was received - Unknown NotFound . Headers received: Connection : close Content- Length: 1209 Content- Type: text / html Date: Wed, 12 Mar 2014 15:27:58 GMT Server : Apache/2.2.9 (Debian ) PHP/5.2.6-1 +
  lenny3 with Suhosin -Patch X -Powered -By : PHP/5.2.6-1 + lenny3 HTTP Response Headers : Connection : close Content- Length: 1209 Content- Type: text / html Date: Wed, 12 Mar 2014 15:27: 58 GMT Server : Apache/2.2.9 (Debian ) PHP/5.2.6-1 + lenny3 with
  Suhosin -Patch X -Powered -By : PHP/5.2.6-1 + lenny3
  Elapsed time: 388 ms.
  Attempting to contact the Autodiscover service using the method of DNS SRV redirect server.
  Connectivity Analyzer Microsoft could not contact the Autodiscover service using the DNS SRV redirect method .
  additional Details
  Elapsed time: 186 ms.
  Test steps
  Trying to find the SRV record in DNS _autodiscover._tcp.empresa.com .
  Not the Autodiscover SRV record in DNS found .
  Tell me more about this issue and how to resolve
  additional Details
  Elapsed time: 186 ms.
  Checking for a CNAME record for Autodiscover in DNS for your domain " empresa.com " to Office 365.
  Could not validate the Autodiscover CNAME record in DNS. If your mailbox is not in Office 365 , you can ignore this warning.
  Tell me more about this issue and how to resolve
  additional Details
  No Autodiscover CNAME record for your domain ' empresa.com ' .
  Elapsed time: 268 ms.
  jspt

  Hello,
  We have the Self-signed certificate that comes with Exchange, and we've created a new self-signed including all our domains mail.company.com, domain.local, exchange13.domain.local, autodiscover.company.com, autodiscover.domain.local.
  below I print you the result os the comand Get-ClientAccesServer | fl . Now we've configured a SPC objetct folow the instructions of Wizard
  Exchange Server Deployment from Microsoft. We've executed the commands in our new Exchange 13, but can't did it in the old Exchange:
  $AutodiscoverHostName = "autodiscover.contoso.com"Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xmlThis is the result of
  RunspaceId                           : 89c86f8e-d156-4480-b31d-59215976879b
  Name                                 : EXCHANGE13
  Fqdn                                 : EXCHANGE13.domain.local
  ClientAccessArray                    :
  OutlookAnywhereEnabled               : True
  AutoDiscoverServiceCN                : EXCHANGE13
  AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
  AutoDiscoverServiceInternalUri       : https://autodiscover.company.com/Autodiscover/Autodiscover.xml
  AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
  AutoDiscoverSiteScope                : {Nombre-predeterminado-primer-sitio}
  AlternateServiceAccountConfiguration :
  IsOutOfService                       : False
  WorkloadManagementPolicy             : DefaultWorkloadManagementPolicy_15.0.825.0
  Identity                             : EXCHANGE13
  IsValid                              : True
  ExchangeVersion                      : 0.1 (8.0.535.0)
  DistinguishedName                    : CN=EXCHANGE13,CN=Servers,CN=Exchange Administrative Group
                                         (FYDIBOHF23SPDLT),CN=Administrative
  Groups,CN=First Organization,CN=Microsoft
                                         Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
  Guid                                 : e83055fe-217b-4ed6-9cd0-7711097baf99
  ObjectCategory                       : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
  ObjectClass                          : {top, server, msExchExchangeServer}
  WhenChanged                          : 09/03/2014 12:46:07
  WhenCreated                          : 08/03/2014 19:15:54
  WhenChangedUTC                       : 09/03/2014 11:46:07
  WhenCreatedUTC                       : 08/03/2014 18:15:54
  OrganizationId                       :
  OriginatingServer                    : severdc.domain.local
  ObjectState                          : Unchanged
  I hope this stuff can help you.
  Thanks!!
  jspt

• Exchange 2013 - The connection to Microsoft Exchange is unavailable

  Hi there,
  i have some problems on my new Exchange 2013 Server: Here is the topology:
  1 serveur 2012 in workgroup with the Hyper-V role
  2 VM: DC2012 is the DC of the domain: intra.mydomain.com, Windows 2012
  The other VM is member of the domaine, Windows 2012, Exchange 2013 SP 1 installed.
  So, i have dc2012.intra.mydomain.com and mail1.intra.mydomain.com (another DC: DC2008, name: dc2008.intra.mydomain.com)
  I have some troubles with the SSL and the connexion of Outlook outside the LAN.
  In the LAN on a client, i launch Outlook 2010 and the autodiscver make the rest. The connexion is ok.
  But i have a client not in the LAN, so i configured a SSL. I made a request. First Question:
  In the ECP, Server, Certificate, i have 3 times "Microsoft Exchange Server Auth Certificate" and 3 times "Microsoft Exchange" with differents dates. Why?
  I installed my PKI on the DC2012, and paste the request and download the certificate. I retuned on the exchange server in ECP, Server, Certificate and treat the pending request. In Services i checked IMAP, POP, IIS, SMTP.
  Then, in Server, Server, Mail1, OutlookAnywhere, in url extternal: mail.mydomain.com and Authentification: NTLM.
  In ECP, Servers, Virtual Directories i wrote the same url external and internal: mail.mydomain.com for ECP, OWA, ActiveSync, OAB.
  In my DNS on the DC, i created a CNAME record for mydomain.com et i created a A record for mail. on a client if i make nslookup then mail.mydomain.com the IP is the LAN IP of my exchange server.
  I modified the MX record of my public domain: mail.mydomain.com to point on my Public IP. That works.
  On the client outside of the LAN, i installed the root certificate and the exchange certificate.
  second question:
  Why my client outside of the LAN can't connext with outlook.
  Thanks a lot for your answers and sorry for the long post.
  Alex

  I resolved my problem!
  here is the solution that solved it:
  actually, i tried to connect Outlook 2010 ti Exchange 2013. I knew that Exchange now connect Outllok via rpc over http(s), BUT, the Autodiscover (in LAN) transform the field server to something like that:
  [email protected] , the xxx correspond to the GUID of the mailbox. So, for my remote user, i launch this command on Exchange 2013:
  Get-Mailbox test | fl name, exchangeguid , it give to me the GUID, then in te field "Server" i fill ([email protected]): [email protected]
  And in advanced parameters, same things i mentioned in previous post. And it works!!!!!
  Thanks to me.

• What certs are needed in Exchange 2013?

  
  When I look in the certificate store in the Exchange Administrative Center I see 3 certificates. The one I used to self sign during installation, the one I created utilizing the local CA, and the other cert I don't know what it is.
  The first cert is the one from the local CA. Now in the "issuer" line the first field is 'cn=c2sddc2-ca, cn=....'. The c2sddc2-ca is NOT the machine name of the CA server, should it be? I just left the name that the AD Certificate Services gave
  the service. Plus this cert only handles services IMAP and POP. Is this okay? I could have sworn I selected all the services.THe second cert is the self signed cert created during installation and it handles IMAP, SMTP, POP, IIS. The last cert I have no idea
  where it came from, it handles no services. So what certs if any can I delete here? CAn I delete the self signed and the unknown cert? I want to be as lean as possible.

  Hi,
  Firstly, I’d like to explain, the issuer name is the local CA name not must be your Exchange server name.  only one certificate can deploy to the IIS services in one environment. In Exchange 2013, there is an empty certificate which deploy none:
   http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  For ease of administration, as well as for lower costs, it is recommended to provision as few certificates as possible. As long as all needed names are added in the certificate, we can install one certificate in one organization.
  And here is the minimized namespace which we need to add in our certificate:
  Autodiscover.domain.com
  The host name in all URLs of IIS services and Outlook Anywhere
  Legacy.domain.com
  If you have any question, please feel free to let me know.
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support