Ok, take me to (DNS) school

[HCHTech]

I've got a situation I need a little guidance on. New customer, whose previous IT guy was a relative - who has passed away. Yikes, a little touchy about suggesting changes - now isn't exactly the time to say things were done wrong....

Anyway. SBS2011, maybe a dozen employees. Their domain is (say) smithmfg.com. Their email addresses are employee@smithmfg.com They have business internet service with (at least - don't know details yet) one static IP.

For some reason that is not clear, they have TWO dyndns domains smithmail.dynalias.com and smith2.dynalias.com, both of which point to their IP. The employees apparently USED TO use smithmail.dynalias.com for OWA, but now use smith2.dynalias.com.

They have a single MX record on their domain, which points to smithmail.dynalias.com. There is an SSL cert on the exchange server from a couple of weeks before the guy died with the name smith2.dynalias.com. OWA works without certificate errors using smith2.dynalias.com.

The in-house computers, however, all give certificate errors when you open Outlook, because Outlook is looking for smithmail.dynalias.com. There is no SSL cert on the server for smithmail.dynalias.com (which is why they are getting the cert error - duh).

The owner doesn't really understand any of this, but he did say that there was a reconfiguration the IT guy did around the time of the SSL cert for smith2 was installed.

This whole thing looks like a cluster&*$% to me. I have no idea what the guy was trying to accomplish with the dyndns domains. They called me because of the certificate errors Outlook was generating. Since they just spent a couple of hundred dollars on that cert, I'm inclined to make it work now and fix it right later, but half of me wants to chuck the whole mess and get rid of the dyndns domains altogether.

Is the change to Exchange to make it (and Outlook) "look for" the smith2.dynalias.com address done at the DNS level (maybe an autodiscover?) or is that controlled in Exchange itself? Mail is flowing now, so I don't want to screw it up trying to set things right. What a mess.

 

[TurricanII]

https://social.technet.microsoft.co...10-externalinternal-url-s-via-powershell.aspx

Set them to match the url on cert after confirming your can ping the name and have it resolve to internal IP of server. You may have to add DNS zone so name can resolve to lan ip.

 

[YeOldeStonecat]

You can configure it through the internet connect weeeezard of SBS, or...direct through Exchange console in various places.
Is internal AD ending it .com also? Or .local?
Doesn't matter as far as the certs go though, you do those to the public FQDN.
If their router doesn't support loopback properly, like Turri mentioned..may need to whip up a record to resolve it internally.
And get rid of that mickey mouse dynamic dns junk.

 

[nlinecomputers]

You need to get rid of the dynamic DNS crap. That will cause mail to bounce even with proper certs because of the use of spammers for it. I surprised that you could get one for a DDNS IP address. I thought that was prohibited.

 

[jzukerman]

What I would do:

1. Run the Fix My Network wizard from the SBS console. In there it should ask what to do you want to call the outside URL for the SBS server. I prefer to use the default "remote.companyname.tld". Do that.
2. Then run the install SSL certificate wizard on the SBS console. It should prepopulate the external name from step 1. Then it generates the CSR. Take that to the SSL certificate vendor and reissue the SSL certificate. Enter in the CSR, and let them generate the certificate. Then install the certificate e-mailed to you using the Install certificate wizard on the SBS console.
3. You may need to go to each computer and touch the Mail control panel and make sure the settings are at defaults. It will probably use Exchange over HTTP. Confirm those settings there (I don't have a workstation at the moment to get you the default settings).
4. Change the MX record at the DNS host to the named server in step 1. (better yet, setup a spam filtering service like MAXMail or Reflexion to kill spam before it gets to the SBS box). You might want to make this change overnight or on a weekend to not impact e-mail.
5. Make sure that the customer has a Static IP address and a PTR record that matches step 1 (their ISP most likely does this part).

Once those steps are done, inform the users that the new URL to access OWA and RWW is from step 1. Touch their phones to change the OWA URL to the new one if necessary.

 

[OaksLabs]

As others have mentioned, nixing the dynamic dns is your first step. For the certificate, https://www.startssl.com/ offers a 1 year cert for free (if you just need a web certificate for OWA). Rebuilding from scratch is my preferred approach to this type of situation; I find they turn into perpetual band-aid fixes if they aren't totally rebuilt.

 

[YeOldeStonecat]

4. Change the MX record at the DNS host to the named server in step 1. (better yet, setup a spam filtering service like MAXMail or Reflexion to kill spam before it gets to the SBS box). You might want to make this change overnight or on a weekend to not impact e-mail..

I'm a big believer in washing the mail before delivery.
*No anti spam software to bog down an Exchange server
*MX Record pointing to a hardened appliance increases security
*One of the more important reasons...on the Exchange server itself, AND...on the hardware firewall...you lock down ACLs so that SMTP port 25 is only...only...only..exposed to the IP(s) of the spam filter service...and not the whole wide world.

 

[Markverhyden]

The first thing you need to do is absolutely make sure that they have a fixed IP address. Email will flow from a DHCP block address if they are using a third party SMTP server, like one from their ISP.

You need to also gain control of the domain registrar account as well as DNS if it's provided by a separate service.

 

[marley1]

Flip them to office 365. If you don't know how to fix DNS or MX I wouldn't start now. Move to Office 365 as getting message spooling, smart host and static ip will increase costs.

If you want to do this correctly you need static ip, smart host, SSl, good backup

 

[HCHTech]

Thanks for the replies, everyone. It is clear now that the dyndns domains were only used because the previous guy didn't quite know what he was doing. He got it working, but now it's time to do it right. I'll be scheduling time to unwind and reconfigure once I get a decision on spam filtering.