First let me say that I just signed up for a technet subscription for $199 the first year and $149 every year after that. that is a GREAT deal, I now have access to all this expensive software that I couldn't get before (except when I had MSDNAA and it was all FREE). This subscription has pretty much everything, Exchange, Server all flavors, Windows all flavors (even 3.1), Office all flavors, etc. Only thing I don't see is Expression Blend and Visual Studio but I guess those are MSDN things not technet. It's a really good if you want to try out all the new stuff. I know all you IT guys already know this stuff but I think the $199 price is a recent change, it used to be $350 was cheapest I think.

So I've setup a VM on my hyper-v box Running Server 2008 R2 and Exchange 2010. I've got my own AD running and bought an external domain and I've setup pretty much all my DNS records including SRV record for _autodiscover.tcp and a TXT record for SPF. I've been using the www.testexchangeconnectivity.com site which has been a great tool and I'm passing almost all the tests. My only problem seems to be with using the self-signed Certificate that comes with Exchange and not a 3rd party one and that it can't find an autodiscover.mydomainname.com cause I haven't created it cause I don't know how.

So what's my best option for a 3rd party cert that will allow me to do activesync, SMTP, autodiscover and IIS? My boss said I might need a UCC cert that covers 5 domains and he recommended godaddy for that. Also he said I'll need a PTR record for reverse DNS or I'm going be blacklisted and that I'd need to contact my ISP for that. He said I might be able to use the self signed cert that comes with exchange but I'll probably get a warning message every time I connect and I might not be able to connect my iPhone with Activesync.

Finally how do I make the autodiscover.mydomainname.com sub-domain with IIS 7? Is that what setting up a virtual directory in IIS 7 does?

This is what I have now which I think is setup as mydomainname.com/autodiscover



I think that's all of my questions for now, this is my first time setting up exchange server and doing all these things to make it actually work. I'm not doing this for work or anything this is a side project for my education and experience.

 

You're working on this at 11:30pm? Go to bed!

If you're only looking to do mail for a single domain, I don't see why you would need a wildcard certificate covering multiple domains unless you were looking to have something like both @test.stunna.com and @production.stunna.com functioning.

Yes, you will definitely need to have a PTR record for whatever IP address that is listed as your MX record or practically nothing in the world is going to conduct any SMTP transactions with you.

I don't see why self-signed certificates wouldn't work for you. Especially if it's just you or people you know that would be using the system. Here's the catch though... with Exchange your self signed certificates may (emphasize may) need to be issued from a certification authority you create which is in turn tied to/authorized in your Exchange AD domain. I would definitely recommend finding the answer to this before proceeding as it may lead to a lot of banging your head against the wall if you're unsure.

On a related note, I'll ask you to look into a question for me. If I have separate client access and mailbox servers, and the CA box is only doing Outlook RPC connections, do I need certificates for the CA server, the mailbox server, both, or neither? Again, no HTTP on the CA server. Just Outlook RPC.

 

Doesn't the cert have to match the computer name too? So you can't have a cert tied to one server and use it on another server with a different name. Right? I'm a real noob at this stuff so take everything I say with a grain....

Aren't you supposed be teaching me?

p.s. 11:30 is dinner time for me, I'll be up for 4 more hours.

I'll ask my boss your question, he fucking knows everything! But he's going on vacay so IDK if he'll respond and he's probably celebrating Lebron going to Miami.

 

Correct. A certificate, regardless of whether it's commercially purchased or self signed, is issued for a fully qualified host name such as servername.domain.com . The exception being wildcard certificates which would be issued against *.domain.com. It's my understanding that they're pretty rare though and usually found only in provider environments or large organizations. We looked into purchasing one from Verisign once and it was crazy expensive. I think we would have needed to cover at least 20+ servers with it before it made sense to buy. We don't have anywhere near that many internet-facing servers that require HTTPS.

 

My boss said godaddy has one for $90 a year and it covers 5 domains so they use it for autodiscover, smtp and around the office for otherthings, RDP I think.

Yup you can see here Multi-domain UCC for $90 and they have singledomain w/ unlimited subdomain for $199

https://www.godaddy.com/ssl/ssl-cert...e=%2B&app_hdr=

Even at $89, that's a lot for me. I'm just doing this to dick around with not for real business so I'd like to do it for free or cheap but of course I understand the reason why it costs $89/yr.

 

Ok I've got the autodiscover problem fixed, I just needed to create an autodiscover Host on my DNS server and in my external DNS settings too. I'm now passing all of the exchange tests except for one.

I still need to fix my PTR record problem. Do I need to make an NAPTR record or PTR record on my internal DNS server?

Also I don't think I'm going to have to bother with a 3rd party cert I think the self signed will work fine. We'll see though...

 

You need to ask your ISP to make the PTR record. You will need to tell them the public IP that your mail server is using.

 

Ok. I don't have to make a PTR record on my DNS server that my ISP will point to?

Currently my PTR reads 63-135-XXX-XXX.static.tbdsl.com

Do I need to make a PTR that my ISP will see and it will read something that has my mail server's name in it like 63-135-XXX-XXX.server2008r2.mydomainname.com?

 

No.

 

sweet!

thanks, everybody! I'll call my ISP on monday and get this sorted out. Are they going to charge me for this?

 

I've never been charged. They are going to ask you what that IP needs to be pointed to, give them the name that you used for the MX record (ex. smtp.stunna.com)

 

Ok I got in contact with my ISP and got the PTR changed. I've setup accounts on the Macs, PCs and iPhones and everything is working!

Now, contact and calendar sharing! Do I really have to do a federation trust thing to share between the same domain, same server, same everything. I just want to share contacts and calendars between the users on the domain. No external domains crazy forest shit.

 

nevermind, I found it! Still trying to learn my way around this thing