Exchange 2007 SSL Certificate DNS issue

Posted on 2012-09-19
Last Modified: 2012-09-19
Good day,

I work for a managed service provider, and we have inherited a client in a unique situation with their exchange SSL certificate we could really use some advice on. The situation is as follows:

Client has Exchange 2007 running on Windows Server 2k3 x64 on an active directory domain. Outlook anywhere is configured.

When the client's domain was setup by their old IT provider setupa whole-brain DNS configuration. Meaning, the external domain name registration and DNS is the same as their internal active directory DNS domain and AD integrated zone. Lets jsut call this

The old IT company registered/issued and applied an SSL certificate to exchange for . Of course OWA and Outlook anywhere used this certificate, life was peachy.

The client and the old IT company very poorly managed external DNS registrations. Lets just say they had over 30 domains (for a small org), spread accross roughly 3-5 different registrars and such. Well during this period of time was so poorly managed no one was notified of it expiring, it expired. The domain was then registered by another 3rd party and is now a camping website (like actual outdoors camping website, not "camped" by a domain squatter or anything).

The old IT company's solution to this problem was to simply register a new domain. Lets call this new domain . So the old IT company directed all things external using this new domain life went on. That old IT company got punted by the client, this is where the company I work for steps in.

Turns out the old SSL certificate for was still applied to exchange, and in use for OWA, Exchange anywhere etc. This certificate remained valid AFTER the client lost registration to as the certificate was configured to expire 1-2 years after their domain was lost to a 3rd party. Well the certificate expired afew weeks back.

So the clients gets promted to contnue untrusted in OWA, outlook anywhere is broken, and everyone on the internal domain using outlook gets non stop certificate prompts.

Unfortuantly, since the DNS is whole-brain, and internally AD exchange, essentially everything still uses , and we don't own anymore, an external SSL certiciate cannot be generated with in the name by a trusted CA authority. Puts us in a tight spot.

The interim solution, we have generated a self-signed certificate for , applied this to Exchange/IIS. Internal outlook clients no longer prompt with certificate issues, unfortuantly externally the certificate is not trusted do OWA has a warning before the logon screen, and outlook anywhere used externally is riddled with certificate prompts that cant be rid of.

We have registered a certificate for their new domain , sure it gets rid of the OWA prompt, but internally outlook cert prompts come back since they are using, and still does not fix outlook anywhere. We've left this client running as described in the above paragraph.

So as far as solutions go, thing's considered:
-Contact the new admin of, see if they can generate an SSL cert for us, or buyout the domain. This is NOT an option. This will not be explored.

-The other option is to change their internal active directory dns integrated zone from to So changing their forest root domain... then somehow changing exchange to also use Then as far as certificates go,  use This is where things are unclear on the how-to side, and we are not entirly sure how to go about this properly, if such a thing should be done at all. We are looking for a complete, and quickest fix as possible.

So my question. With the scenario described, what would be the best course of action to fix this? what things should be considered.

(Keep in mind as far as external registrations go is out of the picture. We only have to work with.)

Thanks for sticking with this TL;DR question.
Question by:cvadmin
    LVL 63

    Accepted Solution

    This isn't unique by any means. I see this frequently, where admins use domains that are not registered to them.

    All that needs to be done is Exchange reconfigured to use another domain for its web services, and a split DNS system used to allow the external name to be used internally.

    I haven't got this exact scenario on my web site, because you should be able to use autodiscover on the new domain.

    The basic steps are this:

    However when you do the SSL request, also include (where is the domain after the @ on their email addresses).


    Author Closing Comment

    Thanks, we have pretty much come to the same consensus on this and just changing Exchange domain (+outlook anywhere) seems to be best answer.

    Just wanted to confirm this was the case.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now