Exchange migration 2007 to 2010 AND domain name change

Posted on 2012-09-04
Last Modified: 2012-09-05

I would like to do 2 things with my Exchange organisation, ideally at the same time.

1. Migrate from Exchange 2007 to Exchange 2010
2. Change the external access URL from to

I have set up a lab environment and restored a backup of my production exch2007 and a domain controller into it.  for the purpose of live testing I have also got a real public domain name to use so I can send mail in and out of the lab set up.

I have a split DNS setup so there is a public DNS server for and which is used externally, and I also maintain the 2 zones on our internal DNS for use by internal clients.

Exchange 2007 Server
Internal DNS name: (the .int TLD here is a problem because I cant get an SSL cert with that extention.  Its reserved for specific organisations.  It was chosen many years ago by one of my predecessors).
External DNS name:

I intend to decomission the exch2007 server so the whole exchange organisation is on 2010.

I've built a new server and installed exch2010 on it.  It is configured with the new public DNS name

Exchange 2010 Server
Internal DNS name:
External DNS name:

The mail routing works fine between the 2 servers and to and from the internet in this coexistance scenario, I have also moved user1's mailbox from exch2007 to exch2010 and seen new features light up in Outlook 2010.  

I have installed a new UC SSL certificate on the exch2010 box and also imported that cert onto the exch2007 box.  This is from a public CA.

Public CA SSL Cert
Common Name:

Additionally both servers have an internal SSL cert issued by our internal enterprise CA.

Common name:


Common name:

The Problem...

When I open outlook I get a certificate warning message that appears twice. 'The name on the security certificate is invalid or does not match the name of the site'.  The name on the warning message is and the certificate being offered is the public CA SSL cert.

Exchange services assigned to certs

Exch2007                    IP.WS      ....S

Exch2010                    IP.WS.      ....S.

So I'm not really sure where my problem is, i think it's to do with certificate assignment, in which case does anybody know what I should have done differently?  Or, is it because I am trying to change the external domain name at the same time as the migration?

Any help you could offer would be much appreciated.


Question by:avitman
    LVL 18

    Accepted Solution

    Your issue is with the internal domain name .int. I worked with a client on the exact same issue whereby the servers were previously setup with for their internal domain name. Although this was not a problem on Exchange 2003, it was on Exchange 2010.

    You won't be able to purchase the .int domain name either as its reserved for special organisations.

    In our case, with the problem at hand and redoing the domain, the client decided just to acknowledge that prompt and carry on working.

    You can't do a domain rename, as its not supported on Exchange 2007 / 2010 and probably will break your server too.

    Not much can really be done and only option would be new domain and migrate emails and services across.

    Here is an question which may also provide some assistance:

    Finally this MS post, should in theory help with your scenario at hand:

    Let me know how you get along.
    LVL 5

    Expert Comment

    You can do it by following 2 ways Technically and non technically.

    For technically follow the steps:-
    1. If you don’t have ADSIEdit registered by default, then open command line in admin mode and type:

    regsvr32 adsiedit.dll

    You will get a confirmation message when the installation is complete.

    2. Open Run box, type in mmc and press Enter.

    3. MMC console opens up, go to Add / Remove Snap In… option under File menu.

    4. Select ADSI Edit snap-in from the list and bring it to right column using Add button.

    5. ADSI Edit option will be now available in the MMC console. Right click on it, property list appears. Select Connect To… option from the property list.

    6. Connection Setting properties box opens up. Change the option for Select a well known Naming Context to ‘Configuration’. Your old Exchange server (2007) will be listed in the path filed. Click Ok.

    7. A tree structure would open up with Exchange 2007 displayed in its internal Fully Qualified Domain Name at the top of the tree.

    8. Before proceeding further please note that editing Active Directory incorrectly can render your domain unusable. Take extreme precaution while editing it.

    9. Follow the Directory tree to the bottom. It would be something like this:

    Configuration [servername]->
    Configuration ->
    Services ->
    Microsoft Exchange ->
    Your Organizational Name->
    Administrative Groups->
    Exchange Administrative Group->
    Exchange 2007 Server Name->
    Information Store->
    Second Storage Group->


    Under Second Storage Group, there will be an entry called Public Folder Database.

    Right-click on this entry to delete it.

    10. Now try running the uninstaller again and you should not encounter this error.

    Author Comment

    Kernel_Recovery_Tools - did you post this by mistake?  apologies if you didn't but I can't see how any of that relates to my issue?

    Author Comment

    We've had Exchange 2007 in place for quite some time and the same split DNS scenario exists but we DO NOT get the cert warning there.  Is there a significant difference between 2007 and 2010 regarding this?

    If I could force outlook to resolve directly to exch2010 I think the problem would be solved.  What actually happens is that resolves to every time.  Ive tried using both an A record and a CNAME record on our internal DNS but both have the same result.

    A record: >
    CNAME record: >
    with A record >

    Author Comment

    just tried modifying the hosts file on my test computer to rule out DNS but still get the cert warning.

    Author Comment

    netflo - thanks for your comment, i dont much like the sound of migrating to a new internal domain!

    I understand the problem with the .int in our domain name but I can issue certs using our enterprise CA which i've done.  DO you know if I can get Exchange 2010 to use both certificates?
    LVL 18

    Expert Comment

    The problem lies with the fact of which services you apply to the certificate and yours relates to IIS. If you apply your internal CA cert to Exchange, this will keep your internal machines quite, but will give an error on the OWA or webmail access.

    Another way to get around this would be to introduce a separate CAS server. That way you can get away with public SSL cert on that interface, for and The internal CA will suffice for your internal .int names.

    You would also need to push out the certificates to client machines to add it to their trusted root, so there is not untrusted prompt.

    Have you had a look at the MS link I provided previously, this is where you tell Exchange to use the URL internally. You would also need to create a new DNS forward lookup zone for and create a new host record with a blank name and point it to your Exchange 2010 server internal IP.

    Author Closing Comment

    @Netflo - thank you, the MS post did the trick for me, I needed to change my internal URI's.  I didn't set up a new DNS zone in the end, I already had a zone for and had previously created A records for mail, legacy, and autodiscover in there.

    Many thanks for your help!
    LVL 18

    Expert Comment

    Glad to hear your up and running, you're welcome :)

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now