Learn how to a build a cloud-first strategyRegister Now


Exchange migration 2007 to 2010 AND domain name change

Posted on 2012-09-04
Medium Priority
Last Modified: 2012-09-05

I would like to do 2 things with my Exchange organisation, ideally at the same time.

1. Migrate from Exchange 2007 to Exchange 2010
2. Change the external access URL from mail.external1.com to mail.external2.com

I have set up a lab environment and restored a backup of my production exch2007 and a domain controller into it.  for the purpose of live testing I have also got a real public domain name to use so I can send mail in and out of the lab set up.

I have a split DNS setup so there is a public DNS server for external1.com and external2.com which is used externally, and I also maintain the 2 zones on our internal DNS for use by internal clients.

Exchange 2007 Server
Internal DNS name:      exch2007.internal.int (the .int TLD here is a problem because I cant get an SSL cert with that extention.  Its reserved for specific organisations.  It was chosen many years ago by one of my predecessors).
External DNS name:      mail.external1.com

I intend to decomission the exch2007 server so the whole exchange organisation is on 2010.

I've built a new server and installed exch2010 on it.  It is configured with the new public DNS name mail.external2.com.

Exchange 2010 Server
Internal DNS name:      exch2010.internal.int
External DNS name:      mail.external2.com

The mail routing works fine between the 2 servers and to and from the internet in this coexistance scenario, I have also moved user1's mailbox from exch2007 to exch2010 and seen new features light up in Outlook 2010.  

I have installed a new UC SSL certificate on the exch2010 box and also imported that cert onto the exch2007 box.  This is from a public CA.

Public CA SSL Cert
Common Name:      mail.external2.com
SAN:            mail.external1.com
SAN:            autodiscover.external2.com
SAN:            legacy.external2.com

Additionally both servers have an internal SSL cert issued by our internal enterprise CA.

Common name:      exch2007.internal.int


Common name:      exch2010.internal.int

The Problem...

When I open outlook I get a certificate warning message that appears twice. 'The name on the security certificate is invalid or does not match the name of the site'.  The name on the warning message is exch2010.internal.int and the certificate being offered is the public CA SSL cert.

Exchange services assigned to certs

mail.external2.com:                    IP.WS
exch2007.internal.int:      ....S

mail.external2.com:                    IP.WS.
exch2010.internal.int:      ....S.

So I'm not really sure where my problem is, i think it's to do with certificate assignment, in which case does anybody know what I should have done differently?  Or, is it because I am trying to change the external domain name at the same time as the migration?

Any help you could offer would be much appreciated.


Question by:avitman
  • 5
  • 3
LVL 18

Accepted Solution

Netflo earned 2000 total points
ID: 38362997
Your issue is with the internal domain name .int. I worked with a client on the exact same issue whereby the servers were previously setup with domain.int for their internal domain name. Although this was not a problem on Exchange 2003, it was on Exchange 2010.

You won't be able to purchase the .int domain name either as its reserved for special organisations.

In our case, with the problem at hand and redoing the domain, the client decided just to acknowledge that prompt and carry on working.

You can't do a domain rename, as its not supported on Exchange 2007 / 2010 and probably will break your server too.

Not much can really be done and only option would be new domain and migrate emails and services across.

Here is an question which may also provide some assistance: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27017396.html

Finally this MS post, should in theory help with your scenario at hand: http://support.microsoft.com/kb/940726/en-us

Let me know how you get along.

Expert Comment

ID: 38363093
You can do it by following 2 ways Technically and non technically.

For technically follow the steps:-
1. If you don’t have ADSIEdit registered by default, then open command line in admin mode and type:

regsvr32 adsiedit.dll

You will get a confirmation message when the installation is complete.

2. Open Run box, type in mmc and press Enter.

3. MMC console opens up, go to Add / Remove Snap In… option under File menu.

4. Select ADSI Edit snap-in from the list and bring it to right column using Add button.

5. ADSI Edit option will be now available in the MMC console. Right click on it, property list appears. Select Connect To… option from the property list.

6. Connection Setting properties box opens up. Change the option for Select a well known Naming Context to ‘Configuration’. Your old Exchange server (2007) will be listed in the path filed. Click Ok.

7. A tree structure would open up with Exchange 2007 displayed in its internal Fully Qualified Domain Name at the top of the tree.

8. Before proceeding further please note that editing Active Directory incorrectly can render your domain unusable. Take extreme precaution while editing it.

9. Follow the Directory tree to the bottom. It would be something like this:

Configuration [servername]->
Configuration ->
Services ->
Microsoft Exchange ->
Your Organizational Name->
Administrative Groups->
Exchange Administrative Group->
Exchange 2007 Server Name->
Information Store->
Second Storage Group->


Under Second Storage Group, there will be an entry called Public Folder Database.

Right-click on this entry to delete it.

10. Now try running the uninstaller again and you should not encounter this error.

Author Comment

ID: 38363100
Kernel_Recovery_Tools - did you post this by mistake?  apologies if you didn't but I can't see how any of that relates to my issue?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 38363114
We've had Exchange 2007 in place for quite some time and the same split DNS scenario exists but we DO NOT get the cert warning there.  Is there a significant difference between 2007 and 2010 regarding this?

If I could force outlook to resolve mail.external2.com directly to exch2010 I think the problem would be solved.  What actually happens is that mail.external2.com resolves to exch2010.internal.int every time.  Ive tried using both an A record and a CNAME record on our internal DNS but both have the same result.

A record:     mail.external2.com >
CNAME record:  mail.external2.com > exch2010.internal.int
with A record exch2010.internal.int >

Author Comment

ID: 38363141
just tried modifying the hosts file on my test computer to rule out DNS but still get the cert warning.

Author Comment

ID: 38363177
netflo - thanks for your comment, i dont much like the sound of migrating to a new internal domain!

I understand the problem with the .int in our domain name but I can issue certs using our enterprise CA which i've done.  DO you know if I can get Exchange 2010 to use both certificates?
LVL 18

Expert Comment

ID: 38363208
The problem lies with the fact of which services you apply to the certificate and yours relates to IIS. If you apply your internal CA cert to Exchange, this will keep your internal machines quite, but will give an error on the OWA or webmail access.

Another way to get around this would be to introduce a separate CAS server. That way you can get away with public SSL cert on that interface, for mail.domain.com and autodiscover.domain.com. The internal CA will suffice for your internal .int names.

You would also need to push out the certificates to client machines to add it to their trusted root, so there is not untrusted prompt.

Have you had a look at the MS link I provided previously, this is where you tell Exchange to use the mail.domain.com URL internally. You would also need to create a new DNS forward lookup zone for mail.domain.com and create a new host record with a blank name and point it to your Exchange 2010 server internal IP.

Author Closing Comment

ID: 38366896
@Netflo - thank you, the MS post did the trick for me, I needed to change my internal URI's.  I didn't set up a new DNS zone in the end, I already had a zone for external2.com and had previously created A records for mail, legacy, and autodiscover in there.

Many thanks for your help!
LVL 18

Expert Comment

ID: 38370159
Glad to hear your up and running, you're welcome :)

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month21 days, 5 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question