|
sanchez posted:The hide from address list option in exchange management console (or users and computers if you're on 2003 still) works fine. The GAL can take a while to refresh on the server, then it can take a while longer for clients to download a fresh copy. Don't be surprised if the change takes a day or so to kick in. Looks like I jumped the gun on that one. I tried this and it seems to be working, thanks.
|
# ? Apr 6, 2012 22:23 |
|
|
# ? May 17, 2024 17:41 |
|
Fun times with outlook anywhere! Exchange 2010 (SBS 2011), remote users connecting via Outlook anywhere are getting certificate mismatch popups constantly. get-outlookprovider shows EXPR has no CertPrincipalName (it's blank). AutodiscoverServiceInternalUri shows remote.companyname.com, which is what our SSL cert is set to. When I change the CertPrincipalName to msstd:remote.companyname.com, it gives me a new cert error and users can't connect at all.
|
# ? Apr 10, 2012 16:30 |
|
Crackbone posted:Fun times with outlook anywhere! do you have a UCC or just a regular cert you need the ucc to read like internalservername.domain internalservername externalservername.externaldomain autodiscover.externaldomain and some other one do the outlook anywhere test here https://www.testexchangeconnectivity.com/
|
# ? Apr 10, 2012 16:34 |
|
Regular single cert for remote.companyname.com. Outlook anywhere test fails on SSL validation. quote:Host name companyname.com doesn't match any name found on the server certificate CN=remote.companyname.com.com, OU=vendornameSSL, OU=Domain Control Validated.
|
# ? Apr 10, 2012 16:50 |
|
you need to get a UCC http://www.comodo.com/business-security/digital-certificates/unified-communications.php you can also get from godaddy and a few others
|
# ? Apr 10, 2012 16:55 |
|
The Godaddy (Wild West Domains/Starfield Tech) ones are solid and dirt cheap. I get mine from certificatesforexchange.com - haven't seen cheaper yet.
|
# ? Apr 10, 2012 17:02 |
|
If I understand correctly, you're recommending a UCC because outlook is using autodiscover.companyname.com (or alternatively just companyname.com), and I don't have a cert for those? To be clear, OWA is working other than that annoying popup. Don't suppose I could utilize remote.company.com for the autodiscover process, or disable SSL on it? I've got pretty much every other external site running off remote.company.com (Yes I know I should just get a new cert but boss is a massive cheapskate.)
|
# ? Apr 10, 2012 18:28 |
|
Crackbone posted:If I understand correctly, you're recommending a UCC because outlook is using autodiscover.companyname.com (or alternatively just companyname.com), and I don't have a cert for those? Create autodiscover SRV dns records for the domain 'company.com' that point to remote.company.com Remove any universal resolvers for company.com (no *.company.com) If you have an autodiscover.company.com domain, either delete it, or set it to redirect to remote.company.com Poison your internal dns so remote.company.com resolves to the internal exchange address. Get away with only a cert for remote.company.com, and no more outlook bitching.
|
# ? Apr 10, 2012 18:57 |
|
External DNS isn't hosted on the SBS box.
|
# ? Apr 10, 2012 19:42 |
|
EoRaptor posted:Create autodiscover SRV dns records for the domain 'company.com' that point to remote.company.com but my best practices!
|
# ? Apr 10, 2012 19:53 |
|
Nevergirls posted:but my best practices! Yeah, that goes out the window when you have to have a month-long fight over $300 purchases.
|
# ? Apr 10, 2012 19:57 |
|
A UCC is $50.
|
# ? Apr 10, 2012 20:31 |
|
Bitch Stewie posted:A UCC is $50. A year, and I'm doing a 3 year minimum when I set this up. I'm glad you work somewhere sane, but unfortunately I don't.
|
# ? Apr 10, 2012 20:47 |
|
Crackbone posted:External DNS isn't hosted on the SBS box. This is going to gently caress over a poo poo ton of stuff with AD, and SBS2011 in particular. You are boned. If you can, give up and walk away, because nothing is ever going to work quite right unless AD and DNS are bound together in a windows domain. Nevergirls posted:but my best practices! This actually is the current recommended practice. autodiscover.* is being retired, as SRV records offer a lot more flexibility. Maybe not the dns poisoning part, though if SBS2011 is the dns for the domain, it does the remote.company.com poisoning for you anyway.
|
# ? Apr 10, 2012 21:23 |
|
EoRaptor posted:This is going to gently caress over a poo poo ton of stuff with AD, and SBS2011 in particular. You are boned. If you can, give up and walk away, because nothing is ever going to work quite right unless AD and DNS are bound together in a windows domain. PM'ing you about this.
|
# ? Apr 10, 2012 21:26 |
|
EoRaptor posted:This is going to gently caress over a poo poo ton of stuff with AD, and SBS2011 in particular. You are boned. If you can, give up and walk away, because nothing is ever going to work quite right unless AD and DNS are bound together in a windows domain. He said external DNS - not internal. Having external DNS hosted elsewhere is pretty common/just fine?
|
# ? Apr 10, 2012 21:30 |
|
EoRaptor posted:This is going to gently caress over a poo poo ton of stuff with AD, and SBS2011 in particular. You are boned. If you can, give up and walk away, because nothing is ever going to work quite right unless AD and DNS are bound together in a windows domain. Ummm, what? Is this a SBS thing? I have external DNS with one of our ISPs and all is running fine here. the only problem we have is the goddamn consultant set up our domain with a .com on the end insted of a .local or .corp or whatever so when they open *.com (no www) they go to our AD server. All of my ADs are DNS servers as well. What's it called? Split level or something like that? The term is escaping me right now.
|
# ? Apr 10, 2012 21:30 |
|
Mierdaan posted:He said external DNS - not internal. Having external DNS hosted elsewhere is pretty common/just fine? I'm guessing he's confusing recursive external DNS with authoritative external DNS.
|
# ? Apr 10, 2012 21:33 |
|
Ok, good, that post had me really wigged out for a second. I didn't think there was anything wrong with out setup (other than the single cert BS). Gonna see if our ISP supports autodiscover SRV records but doesn't look like it. Crackbone fucked around with this message at 21:51 on Apr 10, 2012 |
# ? Apr 10, 2012 21:47 |
|
Your autodiscover recors in your public facing external DNS is just an A record so any DNS provider will support that.
|
# ? Apr 10, 2012 21:54 |
|
^^^ It may not be your ISP if you are using a domain registrar. You would probably go contact Godaddy / Network Solutions / whoever you got your domain name through.
|
# ? Apr 10, 2012 21:55 |
|
Bitch Stewie posted:Your autodiscover recors in your public facing external DNS is just an A record so any DNS provider will support that. When it's just an A record I get the SSL problem because it's looking for autodiscover.company.com to have an SSL cert. I thought the point of doing the SRV record was I can tell external Outlook clients the autodiscover source is actually remote.company.com (which is what I have a SSL cert for).
|
# ? Apr 10, 2012 22:01 |
|
Crackbone posted:A year, and I'm doing a 3 year minimum when I set this up. I'm glad you work somewhere sane, but unfortunately I don't. The trick is to not mention the sub-optimal solution in this case to anyone. It's either $150 for the UCC or deal with the annoying popup. Hacked BS would never exist if techs didn't make the mistake of mentioning it to the people with the money.
|
# ? Apr 10, 2012 22:21 |
|
It's working. Contacted our external DNS provider, and they don't support actual autodiscover srv records. But they recommended setting up a wildcard SRV record, which worked just fine. We don't need any other external SRV records (and don't see needing any in the near future), so it looks like this is cleaned up at least in the short term. Not perfect but no more popups and no fighting over $$$.
|
# ? Apr 11, 2012 13:24 |
|
EoRaptor posted:This is going to gently caress over a poo poo ton of stuff with AD, and SBS2011 in particular. You are boned. If you can, give up and walk away, because nothing is ever going to work quite right unless AD and DNS are bound together in a windows domain. To clarify: Clients on the internal network should use the SBS2011 machine for all DNS requests. SBS2011 should be set to use external forwarders for any domain names it doesn't know. The domain can use any external Name Server for providing it's records to the internet at large. You can use this to create an internal record for remote.company.com that points to your internal ip for the SBS2011 box, and use the Name Server to create a record for remote.company.com pointing to the external IP for the SBS2011 box. You'll need to pass port 443 to the SBS2011 box through your firewall. In fact, SBS2011 does this by default. When you did the setup wizard, the external name it suggested (remote.company.com) is setup so SBS2011 will return its own internal address for the domain name, and anybody outside the company (or not using the SBS2011 DNS server) will see your external IP address. A SRV record is pretty straight forward. I'm surprised your Name Server Provider doesn't support it. This website: http://www.thirdtier.net/2011/06/setting-up-autodiscover-for-sbs-2011/ was the most helpful when I set mine up.
|
# ? Apr 11, 2012 17:28 |
|
EoRaptor posted:A SRV record is pretty straight forward. I'm surprised your Name Server Provider doesn't support it. They support SRV records, but their system has a web-based editor we use to manage the entries. Whatever software they use doesn't have autodiscover as an available protocol to use from the drop-down box when defining the record.
|
# ? Apr 11, 2012 17:37 |
|
Crackbone posted:They support SRV records, but their system has a web-based editor we use to manage the entries. Whatever software they use doesn't have autodiscover as an available protocol to use from the drop-down box when defining the record. Oh, just create a SRV record for _autodiscover._tcp.company.com with the following value '0 0 443 remote.company.com.' It really isn't complex.
|
# ? Apr 11, 2012 20:53 |
|
So I need to renew our Exchange 2010 UCC cert for the first time. If I follow this guide is anything going to bite me? http://www.msexchangegeek.com/2011/12/20/how-to-renew-exchange-server-2010-certificates/ I'm familiar with renewing third-party certs, just haven't come across this issue of the CSR being binary encoded and don't want to risk any problems.
|
# ? Apr 12, 2012 18:00 |
|
EoRaptor posted:Oh, just create a SRV record for _autodiscover._tcp.company.com with the following value '0 0 443 remote.company.com.' The DNS managment software won't let you create a record like that - you have to choose from predefined protocols that they provide from a dropdown menu. It's not about being complex, I can't do it with the tools available.
|
# ? Apr 12, 2012 18:39 |
|
Bitch Stewie posted:So I need to renew our Exchange 2010 UCC cert for the first time. Like that guide says, just don't remove the request from the server and you won't have any problems.
|
# ? Apr 12, 2012 18:52 |
|
Bitch Stewie posted:So I need to renew our Exchange 2010 UCC cert for the first time. Using the EMC to generate the CSR is fine. It has some prompts about the items you want to include, and then generates a list based on how you respond. You can edit the list in the final window and issue the CSR. As somebody who uses powershell for nearly everything, I still go to the EMC for generating and fulfilling CSRs.
|
# ? Apr 13, 2012 00:36 |
|
We seem to have frequent issues with people getting their profiles hosed up (which I acknowledge may not be Exchange-specific); we use roaming profiles that are stored in DFS and users are showing up unable to open Outlook 2007 via Citrix. Typically the message will be something about not being able to open the default folders. The current workaround is to launch Citrix Desktop under the user's account, run outlook.exe with the /profiles option and create a new profile then set it as default. This typically fixes the problem. Our environment is mixed 2003/2008 (the domain is not 2008 native) and Exchange 2011. Any ideas?
|
# ? Apr 13, 2012 03:55 |
|
Hopefully this thread still has some life in it.. I'm finishing up an exchange migration (2003 -> 2010) and just switched OAB distribution to web-based. And I just realized something. I have no clue where I can actually view my OAB in Outlook. It's being published in IIS, I can see it sitting in my "offline address books" folder on my system's hdd, I just have no idea where in outlook I would see the contents of it. There's nothing in my 'contacts' tab. Am I missing something stupid? I must be - even google thinks that's too stupid of a question to answer.
|
# ? May 3, 2012 07:30 |
|
Then click the Address Book dropdown menu?
|
# ? May 3, 2012 18:58 |
|
I just started enforcing passwords on all activesync mobile devices and predictably everyone is complaining. I want to increase the timeout on this to say, 4 hours before they have to enter a password. Looks like the limit is 60 minutes in the console, any way to override that? Another question: anyone notice android being completely retarded when it comes to this? I had one issue where an android user couldn't get email after policy was enforced, but he already had a password on his device. Another user had the swipe-code thing and that didn't count as a good enough password for exchange (or wasn't recognized -- this one prob isn't android's fault)
|
# ? May 3, 2012 20:46 |
|
Nevergirls posted:Another question: anyone notice android being completely retarded when it comes to this? I had one issue where an android user couldn't get email after policy was enforced, but he already had a password on his device. Another user had the swipe-code thing and that didn't count as a good enough password for exchange (or wasn't recognized -- this one prob isn't android's fault) Android handsets are poo poo when it comes to compliance with activesync policies. The solution is to narrow down the supported handsets, or license touchdown. iOS devices ~*~just work~*~ Somebody once posted a PDF report on various handsets specifically relating to this issue and I've never been able to find it again.
|
# ? May 3, 2012 21:20 |
|
Kenfoldsfive posted:Hopefully this thread still has some life in it.. It's just the global address list, so you can see it in all of the usual places. Create a new e-mail and click [To:] it should be populated there. The OAB parameters just handle how client's cache the specified address list. If you are just trying to make sure it's working, here's a quick check to make sure it's generating and distributing properly: - Issue an update-offlineaddressbook and check for OABGEN errors in the event log. - Then make sure you can download them client-side in Outlook via the send-receive -> Download Address Book - You should see the address list you've specified as the OAB for that mailbox in the following dialog box. Tell it to download full details.
|
# ? May 3, 2012 21:31 |
|
Linux Nazi posted:Android handsets are poo poo when it comes to compliance with activesync policies. The solution is to narrow down the supported handsets, or license touchdown. https://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_clients Is what I use, I don't support android devices unless they're running touchdown makes my life much simpler.
|
# ? May 3, 2012 22:23 |
|
Just going to post this here as well as the security thread All of a sudden everyone on my network is getting connect calendar.office.microsoft.com pop ups asking them for their logins to our AD domain it looks like a real box in outlook, no one has done any public calendar sharing and we're on our own exchange server. Everything shows normal in trend and the sonicwall though. Is this some random outlook bug or an exploit in progress.
|
# ? May 10, 2012 19:47 |
|
|
# ? May 17, 2024 17:41 |
|
Not sure if this is the best place for this but here goes. Can anyone tell me an easy / step by step way of forwarding my emails from my two Hotmail accounts (@hotmail.co.uk & @caledonian.ac.uk) to my Gmail acc? Tried myself but Hotmail's Outlook options are unmanageable and I can't see anything in Gmail's settings. Thanks.
|
# ? May 10, 2012 21:40 |