tehsteve86 Posted March 26, 2015 Share Posted March 26, 2015 This is probably a real simple question for you Exchange Pros. Basically, I am in the process of setting up a new Exchange Server from scratch. I was going through the configuration of the self-signing SSL cert and there were a few fields that I'd like to be enlightened in: For the filling out of the intranet part, that is easy. ABC-Exchange2.ZZZ.local For the public internet face of things, I noticed that it's recommended to use mail.ZZZ.com, so I will just use mail2.ZZZ.com for my research purposes sake. BlueHost owns our ZZZ.com domain and our AD/DNS is only configured for ZZZ.local. Do I just create an A (Host) record under DNZ Zone Editor on BlueHost and point it to my public IP or the mail2.ZZZ.com? This takes me to my next question. If I was to type in mail2.ZZZ.com , I usually had to manually type in the /owa at the end. Does the /owa get put in there automatically or does the user still need to type it in. Sorry, I am an Exchange n00b Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 26, 2015 Veteran Share Posted March 26, 2015 you will need an A record point to your mail2.zzz.com to your external ip then you will need a MX record to point to mail2.zzz.com when configuring your mail server you can have a redirect point to https://mail2.zzz.com/owa in iis. your internal dns should have a zone for zzz.com and either a A record or a cname for mail2 pointing to your internal mail server ip/hostname. tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 26, 2015 Author Share Posted March 26, 2015 when configuring your mail server you can have a redirect point to https://mail2.zzz.com/owa in iis. I figured this because technically mail2.zzz.com would point to my public IP address and my public IP address already resolves to a different website running right from my business location. Entering mail2.zzz.com during the Exchange SSL Cert Configuration will be safe though right after I make the above redirect point? your internal dns should have a zone for zzz.com and either a A record or a cname for mail2 pointing to your internal mail server ip/hostname. yeah I think I need to create a "zone" Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 26, 2015 Veteran Share Posted March 26, 2015 You should also make an autodiscover.zzz.com. This will allow for automatic configuration for phone's and outlook clients. It is also recommended to have a cert from a known provider so that there is less config on phone's and clients. Otherwise you will need to import the cert on all computers and phone's. You are on the right path though tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 26, 2015 Author Share Posted March 26, 2015 So get this, I went into BlueHost earlier today to look at the A-Records. One of the things I noticed was that there already was an "autodiscover" record pointing @ what seems to be a BlueHost server. I changed the IP address of that and it's been a good 9 hours. Now I am home & am pinging that URL and it is still resolving to the BlueHost. I also noticed an SRV record in the DNS zones on BlueHost. It says: _autodiscover_ _tcp autodiscover.bluehost.com Do you think I should change that? There also is a Host record that has v=spf1 ip4:66.147.244.160 a mx ptr include:bluehost.com ?all I'm not sure I should touch that. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 26, 2015 Veteran Share Posted March 26, 2015 Dns changes can take up to 48 hours. What is your ttl? tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 26, 2015 Author Share Posted March 26, 2015 14400 Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 26, 2015 Veteran Share Posted March 26, 2015 Yea, that is 24 hours. The next time a dns check won't be for another 15 hours or so. You should change them now to as low as they can go. Next update will change that number to check back more frequently. tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 26, 2015 Author Share Posted March 26, 2015 Should I change the SRV record _autodiscover_ _tcp autodiscover.bluehost.com as well in the DNZ Zones on BlueHost? Or should I just edut the ARecord on bluehost? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 26, 2015 Veteran Share Posted March 26, 2015 You should have autodiscover.zzz.com not bluehost. Who cares about bluehost. tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 26, 2015 Author Share Posted March 26, 2015 Well the autodiscover ARecord I know to change. The SRV record that has autodiscover terminology, I'm not so sure. We do have other sites running on BlueHost I don't want them impacted. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 26, 2015 Veteran Share Posted March 26, 2015 You should only be worried about anything associated with zzz.com. blue host should be left alone or removed tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 26, 2015 Author Share Posted March 26, 2015 You are right. I am in the process of adding an SRV record, but I am a little lost where to place it. I have: ZZZ.local _sites _tcp _udp DomainDNSZones ForestDNSZones When I right click and click, Other New Records/SRV records, not one of them state _autodiscover in the Service: field. Do I need to add that in manually? Also which of the folders above would I create this in? ZZZ.local or DomainDNSZones? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 27, 2015 Veteran Share Posted March 27, 2015 Right at the same level as domain.local, directly under forward look up zones tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 27, 2015 Author Share Posted March 27, 2015 Ok. I created the SRV record. I had to manually fill in _autodiscover and _tcp as they were not available in the drop down options. I hit ok and it seemed to go through. I refreshed the zone and couldn't find the record in there. I thought that I will try it again. I went through the same process and it says that the record already exists. Where was the record placed? If it is there, it is not appearing!? edit: ok i found it. it dropped into the TCP folder Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 27, 2015 Veteran Share Posted March 27, 2015 Cant see your screen so I can't really say for sure...try doing a nslookup for those addresses and see what they resolve to. tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 27, 2015 Author Share Posted March 27, 2015 I just ran the Analyzer tool & it said: Attempting to locate SRV record_autodiscover._tcp_ZZZ.com in DNS. The Autodiscover record wasn't found in DNS. I see the record sitting in ZZZ.local -> _sites -> _tcp after I created it inside ZZZ.local what gives? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 27, 2015 Veteran Share Posted March 27, 2015 Mind if I teamviewer in to get a better idea of what is going on. It would help expedite things and get you more direct answers. You can pm the codes if you wish. tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 27, 2015 Author Share Posted March 27, 2015 Sure PMing you! Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 27, 2015 Author Share Posted March 27, 2015 SC302 - thanks for all your help today I managed to install the self-signing cert, and after the end-user import, everything looks good. no prompts. success! I am thinking about dropping the remote.zzz.net SSL cert from GoDaddy and purchasing the 5 device *.zzz.com instead. This way I can have mail.zzz.com, remote.zzz.com & etc & easily manage it. I already made an ARecord for remote.zzz.com on BlueHost and also placed an entry in the zone you helped me create! Thanks again for all your help tonight! Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 27, 2015 Author Share Posted March 27, 2015 Update: it appears that the GoDaddy cert was actually working for remote.zzz.net the whole time. All my remote users and mobile device users now need to have SSL unchecked to get their email flowing again since the GoDaddy cert has been removed. However My self-signed cert for internal users did make the annoying security error popup go away, which was my original goal. :) Now I must add the GoDaddy cert again because my external users are complaining by the dozens. But... when I add the GoDaddy cert back in, my internal users will start getting that security error message again I feel like I'm back to square 1 haha. Thoughts? I think that the GoDaddy cert changes my internal and external address to the same thing in the OWA URL fields, which would end up being remote.zzz.net Meaning that the remote.zzz.net is probably also pointing at my Intranet OWA URL field, which is not what I want. I am thinking importing the GoDaddy cert and then manually editing (PowerShell) the Intranet facing fields back to https://xxx-ExG01.something.local/owa and leaving the PUBLIC Internet facing field of remote.zzz.net alone. Or will performing this powershell "hack" edit break the GoDaddy cert altogether. Does this make any sense? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 27, 2015 Veteran Share Posted March 27, 2015 yes your godaddy cert while hosting 2 different services, resolves to one external ip. You really should have a separate cert for exchange and one for your remote desktop users...I would do a self signed cert for the remote desktop and have a global/godaddy cert for mail. Mail hits far more devices/os than remote desktop and is more difficult to import the self signed cert/ca into every os that could possibly connect to exchange. (this is what I was getting at last night). Sharing a cert between two servers isn't exactly the best or recommended practice even though it may work. You really need to have a UCC ssl to support exchange. https://www.godaddy.com/ssl/ssl-certificates-config.aspx?origin=pod&plan=ssl_std_3_5 The certificate, in my opinion, should have: mail.xxx.com webmail.xxx.com autodiscover.xxx.com you can change names if you want, but those are the three that should be in there. your dns host may not support SRV records, so you would need to add autodiscover as an A record to your external DNS host. At the very least if wish to continue to go down the route of having your current, single, godaddy cert act as everything, you will need to remove the www.remote.xxx.com and add mail, webmail, and autodiscover to that cert through the godaddy interface...then import that cert into exchange again. tehsteve86 1 Share Link to comment Share on other sites More sharing options...
tehsteve86 Posted March 27, 2015 Author Share Posted March 27, 2015 Purchase a new/more cert? LOL cmonnnnnnn. Most of our computers here are Optiplex GX280s lmao. I'm surprised we keep up with 2 domain renewals and a hosting haha Link to comment Share on other sites More sharing options...
Recommended Posts