Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 713
  • Last Modified:

Remove/change Primary external domain in SBS2008

Summary and issue:
My client is running sbs2008 which comes with Exchange 2007 and AD builtin. I have already configured the domain to use firstdomain.com. Everything is working fine, OWA, Outlook, RWW etc, RWW is mail.firstdomain.com. Then she wanted to add seconddomain.com and stop using firstdomain.com. I added the new domain to exchange and configured it as the new accepted domain, set it as default and updated the email policy so it is the primary send and receive. I also setup the MX record to point to the IP of firstdomain.com. The only hitch I encountered was the certificate would popup on external outlook users. I explained that she needed to buy a new cert (SAN) that included autodiscover.seconddomain.com, firstdomain.com, and also seconddomain.com). The cost is crazy for the SAN, so now she wants to totally remove firstdomain.com from the network.
****************************
Plan of action:
Run the Internet Wizard and set seconddomain.com as new primary external domain
Change MX record to point to IP of seconddomain.com
Run cert wizard in SBS console
Remove firstdomain.com from accepted domain in EMC
************************
Concerns and questions:
There was no autodiscover issue when there was one domain. Should I expect any now that I am going back to having one domain after removing firstdomain.com?
Would I still need to purchase a cert that included autodiscover.seconddomain.com (seems like this would depend on the answer from question 1, lol)
When the internet wizard is run for secondomain.com, would it also create virtual directories for owa, ews, etc whereby I can now use mail.seconddomain as the new URL for RWW?
Can I leave the old MX record in place until the new one populates the DNS servers around the internet? I just dont want any or minimal email down time. I guess the better question would be, How do I avoid or minimize email down time?
0
xzay1967
Asked:
xzay1967
  • 7
  • 4
4 Solutions
 
Simon Butler (Sembee)ConsultantCommented:
MX record just points to a host name, which points to an IP address. Therefore as long as the server is able to accept email for that domain, then it will be fine.
A suitable SAN will be $60/year.

As soon as you run the wizards, everything will be changed to use the new host name, so you will need to do the certificate later. You do need to cover Autodiscover, particularly for external users, so that will need to be in the SSL certificate, unless you are using SRV records.

Simon.
0
 
xzay1967Author Commented:
Hmm, thanks Simon, it would be very interesting to find a company that offers SAN certs for that low price. All the providers I called were talking hundreds. I got a quote from Verisign and they quoted $900 per year for a SAN that included seconddomain.com, firstdomain.com, and autodiscover.seconddomain.com. I did that srv record and pointed it to the ip of firstdomain.com IP, (not sure if it is related), but now I get autodiscover for cpanelemail prompts when outlook first runs. Is this some new thing? If it helps, the provider is Network Solutions that host seconddomain.com. Back to the MX record, I just remembered, I can add the other IP and just set the priority higher than the old one. Worse case, is if mail can't hit it, it will revert to the next on the list. But I assume that once I run the internet wizard that owa wont function for the old one anymore, or outlook wont work until the dns is caught up for seconddomain.com. Which brings me back to the cert, can use outlook or rww until cert is in place. In regards to the autodiscover, I never created a record for firstdomain.com when I setup the domain years ago. I assume that the internet wizard took care of all that when it created the virtual directories. Oh one more, I am in Philly, client is in TX, can I do this remotely?
0
 
Simon Butler (Sembee)ConsultantCommented:
The provider of the domain name has no connection to the SSL certificate issuer. If you are looking at network solutions then of course you will pay - someone has to pay for all the blanket advertising they do in Google et al.

GoDaddy or one of their resellers such as https://certificatesforexchange.com/ do the certificates for that price. The certificates are trusted by the major players, including the iPhone and other mobile devices. 5 names on the certificate and unlimited servers.

On the subject of the MX records, remember it is just DNS. Therefore you could setup a new host name pointing to the same IP address if you like. It doesn't have to match the domain. For example your domain could be example.com but the MX record mail.example.net.

It can all be done remotely using RDP. If you configure the firewall to allow port 3389 through, rather than using RWW that should maintain the connection while the changes are made. Another option would be to install something like Log Me In free, but doing that through RDP isn't advised.

Simon.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
xzay1967Author Commented:
You are a genius Simon, I actually forgot I could use GoToAssist for the remote work. I think for consistency I will create an A record called mail.seconddomain.com on the external dns, then add a MX record entry called mail.seconddomain.com with a priority of 15 since the other (current) one is set to 10.  The current MX record points to IP of firstdomain.com and since she wants to totally dump the old one, I may go with a new record. That way the record will already be in place for when I add the cert, plus mail won't use the new one unless the one with the priority of 10 is not accessible. Your thoughts please. Thanks for the tip on the cert provider.
0
 
xzay1967Author Commented:
Ok so I went ahead and bought the cert, will generate the request once I change the domain name. Once I change the primary domain on SBS, does the current email function stop working i.e owa, outlook etc?  I am trying to get a feel of what to expect outage wise so I can prepare for it.
0
 
Simon Butler (Sembee)ConsultantCommented:
You can do the request before changing the domain name.
Do the request using the Exchange 2010 certificate wizard, rather than the SBS wizard.
Then complete the request through Exchange 2010 but DO NOT activate any services.
When you are ready to change things, simply do so in SBS as advised. As soon as you have completed the change, run the SSL wizard in SBS and your new certificate will be available.

If you include the existing URL, the existing autodiscover.example.com in the certificate then the downtime will be measured in minutes.

That makes the full list (where example.com is the old domain, and example.co.uk is the new and you were using the "remote" name that SBS prefers):

remote.example.co.uk (common name)
remote.example.com
autodiscover.example.co.uk
autodiscover.example.com

Simon.
0
 
xzay1967Author Commented:
Thanks again for the detailed response Simon. I always thought that with SBS being to temperamental that not using the built in wizard was advised. This is Exchange 2007, so I will have to figure out how to request the cert via EMS. If not too much to ask, can you assist me with that as well? Here are what I would like in the SAN request:
mail.wtaylorrealestate.com <<<current domain
mail.taylorrealestate.com<<<< new domain
autodiscover.wtaylorrealestate.com
autodiscover.taylorrealestate.com
Not sure if I need to include the server name, but if I do, then its wtr-dc01.wtaylor.local
0
 
xzay1967Author Commented:
http://exchange.sembee.info/ I believe I found your site, I will follow the instructions. Do you still recommend including "Sites" in the SAN? I have generated the CSR using EMS:
Should I redo and include "Sites"? Only issue is I am only allowed 5 entries for the cert I purchased, if I have to include Sites, which can I remove and still be in the green?
New-ExchangeCertificate -GenerateRequest -Path c:\mail_taylorrealestate_com.csr -KeySize 2048 -SubjectName "c=US, s=TX, l=Houston, o=Taylor Real Estate Group Inc, cn=mail.taylorrealestate.com" -DomainName mail.taylorrealestate.com, mail.wtaylorrealestate.com, autodiscover.taylorrealestate.com, autodiscover.wtaylorrealestate.com, wtr-dc01.wtaylor.local -PrivateKeyExportable $True
0
 
xzay1967Author Commented:
First let me extend a million thanks for your help. I have performed the operation, and all went well except for one glitch. Now for some odd reason, when users launch Outlook internally, they are prompter with cert warning that reference the old domain. See screenshot. The cert does include the old domain as well as the new domain, so not sure what the problem is at this point.
mail.taylorrealestate.png
0
 
Simon Butler (Sembee)ConsultantCommented:
You must have a reference to the old domain somewhere in Exchange.
On my site I do have all of the places that could hold them listed.

It is part of this article.
http://exchange.sembee.info/2007/install/singlenamessl.asp

You will have to go through to see if the SBS wizard missed something.

As for running the wizards, I think you will find that most SBS experts will say run the wizards. The trick is knowing what information to put in and working with the wizards.

Simon.
0
 
xzay1967Author Commented:
My apologies Simon, I forgot to close this question and award you your points. I followed your article on the site you host, and got everything working. I was also able to solve the issue of the cert warning where it referenced the old domain. I simply set all the internal uri for the ews, owa and oab to the exteral uri. Thanks again for everything.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now