?
Solved

We don't own our internal domain

Posted on 2010-09-03
17
Medium Priority
?
404 Views
Last Modified: 2012-05-10
Our internal domain is owned by someone else and they aren't selling.  I've purchased a UNC cert for the external domain but the issue I'm facing is, when we open up outlook we get an alert, "The name on the security certificate is invaild or does not match the name of the site."


I need this to go away, does anyone have a fix?
0
Comment
Question by:Puke Foo
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 1000 total points
ID: 33597263
It does not really matter what your internal domain is called, what matters is that the url the user types matches the certificate on the exchange server, it is no different really than how most set ups go for example most domain will be called company.local but the email domain will be company.com However if your email domain is owned by someone else that's another story.
0
 
LVL 5

Expert Comment

by:pbeirne
ID: 33597339
Configure your certificate to use multiple client access server hostnames:

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 1000 total points
ID: 33597345
do you use split dns? have an external dns zone for yourdomain.com and an internal zone for yourdomain.com. (this is for your external presence, so the domain users use to access owa)

if you do, you can configure autodiscover and the web services to use a certificate that only uses your external domain presence
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33597349
As MojoTech stated your internal domain is just that internal so it doesn't matter what it is called.

The same goes for certificates in that it appears you went out and bought a public certificate for your external domain and are trying to use it for internal domain which will not work.

I suggest the following to resolve this:

Reference this technet article: http://technet.microsoft.com/en-us/library/bb457160.aspx

Get a version of Enterprise Edition of Windows Server 2003 or 2008 and setup a Stand Alone Root Certificate authority for your internal domain. Also setup a Enterprise Subordinate Certificate Authority. Once you've setup the Stand Alone root and issued a certificate to the Enterprise Subordinate the Root can and should be taken offline. You can then use the Enterprise Subordinate to issue certificates for your internal domain and to users via Active Directory.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33597381
example:
users access owa by going to https://owa.contoso.com/owa
your internal domain is microsoft.com (obvious you don't own that one :)

if you have an internal dns zone for contoso.com, you can configure your urls to use contoso.com and your certificate does not need the other domain name
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://owa.contoso.com/ews/exchange.asmx -ExternalURL https://owa.contoso.com/ews/exchange.asmx
Get-OabVirtaulDirectory | Set-OabVirtualDirectory -InternalURL https://owa.contoso.com/oab -ExternalURL https://owa.contoso.com/oab
Set-ClientAccessServer CASName -AutoDiscoverServiceInternalURI https://owa.contoso.com/autodiscover/autodiscover.xml
Set-OutlookAnywhere -Server CASName -ExternalHostName owa.contoso.com
0
 

Author Comment

by:Puke Foo
ID: 33598307
Nuttycomputer,

To be clear you're saying, I should create A records in my external dns zone, (on the internal dns server) for my casarray name/ mail server names and then change the autodiscover to point to the external zone as well as oab, free busy, etc...?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598480
you need to know what dns zones you have internally
you're configuration will depend on dns and the zones you have internally
0
 

Author Comment

by:Puke Foo
ID: 33598486
I have an internal dns zone for my external dns, that make sense?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598547
yes, what that means is you can configure all of your url values with the external name used by clients

here is an article
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 

Author Comment

by:Puke Foo
ID: 33598558
thanks, real quick, will I need to reconfigure my cas array as well?
0
 

Author Comment

by:Puke Foo
ID: 33598649
we do not have a split brain domain
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598720
you said you had an internal dns zone for external dns

you don't need to reconfigure your cas array, that is independent of these web services
0
 

Author Comment

by:Puke Foo
ID: 33598739
we do have an internal dns zone for the external dns, but the internal domain name is not ours, we do not own it.  So I can't get a cert for our internal dns domain name.  But I have created an internal zone for the external dns so we can resolve those external addresses internal.
0
 

Author Comment

by:Puke Foo
ID: 33598795
to be clear, we have an external dns domain, contoso.com, we have an internal domain for both AD and say it's, windows.com, we don't own windows.com, but I do have an internal zone for it.  But I can't get a cert for it because I don't own it.
0
 

Author Comment

by:Puke Foo
ID: 33598806
I meant to say we have an internal domain for both AD and DNS, called windows.com
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598822
your external domain is contoso.com
do you have an internal dns zone for contoso.com
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33599688
batstrading,

While you can't get a certificate for "windows.com" froma  public issuing authority because the domain is strictly used internally you don't need it to be issued by one.

You can install Certificate Services as I mentioned in my previous post and create the certificate yourself for the server. You can then distribute it to all internal clients.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
I came across an unsolved Outlook issue and here is my solution.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month16 days, 5 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question