Solved

Remove/change Primary external domain in SBS2008

Posted on 2013-01-25
11
693 Views
Last Modified: 2013-01-30
Summary and issue:
My client is running sbs2008 which comes with Exchange 2007 and AD builtin. I have already configured the domain to use firstdomain.com. Everything is working fine, OWA, Outlook, RWW etc, RWW is mail.firstdomain.com. Then she wanted to add seconddomain.com and stop using firstdomain.com. I added the new domain to exchange and configured it as the new accepted domain, set it as default and updated the email policy so it is the primary send and receive. I also setup the MX record to point to the IP of firstdomain.com. The only hitch I encountered was the certificate would popup on external outlook users. I explained that she needed to buy a new cert (SAN) that included autodiscover.seconddomain.com, firstdomain.com, and also seconddomain.com). The cost is crazy for the SAN, so now she wants to totally remove firstdomain.com from the network.
****************************
Plan of action:
Run the Internet Wizard and set seconddomain.com as new primary external domain
Change MX record to point to IP of seconddomain.com
Run cert wizard in SBS console
Remove firstdomain.com from accepted domain in EMC
************************
Concerns and questions:
There was no autodiscover issue when there was one domain. Should I expect any now that I am going back to having one domain after removing firstdomain.com?
Would I still need to purchase a cert that included autodiscover.seconddomain.com (seems like this would depend on the answer from question 1, lol)
When the internet wizard is run for secondomain.com, would it also create virtual directories for owa, ews, etc whereby I can now use mail.seconddomain as the new URL for RWW?
Can I leave the old MX record in place until the new one populates the DNS servers around the internet? I just dont want any or minimal email down time. I guess the better question would be, How do I avoid or minimize email down time?
0
Comment
Question by:xzay1967
  • 7
  • 4
11 Comments
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 38819812
MX record just points to a host name, which points to an IP address. Therefore as long as the server is able to accept email for that domain, then it will be fine.
A suitable SAN will be $60/year.

As soon as you run the wizards, everything will be changed to use the new host name, so you will need to do the certificate later. You do need to cover Autodiscover, particularly for external users, so that will need to be in the SSL certificate, unless you are using SRV records.

Simon.
0
 

Author Comment

by:xzay1967
ID: 38820061
Hmm, thanks Simon, it would be very interesting to find a company that offers SAN certs for that low price. All the providers I called were talking hundreds. I got a quote from Verisign and they quoted $900 per year for a SAN that included seconddomain.com, firstdomain.com, and autodiscover.seconddomain.com. I did that srv record and pointed it to the ip of firstdomain.com IP, (not sure if it is related), but now I get autodiscover for cpanelemail prompts when outlook first runs. Is this some new thing? If it helps, the provider is Network Solutions that host seconddomain.com. Back to the MX record, I just remembered, I can add the other IP and just set the priority higher than the old one. Worse case, is if mail can't hit it, it will revert to the next on the list. But I assume that once I run the internet wizard that owa wont function for the old one anymore, or outlook wont work until the dns is caught up for seconddomain.com. Which brings me back to the cert, can use outlook or rww until cert is in place. In regards to the autodiscover, I never created a record for firstdomain.com when I setup the domain years ago. I assume that the internet wizard took care of all that when it created the virtual directories. Oh one more, I am in Philly, client is in TX, can I do this remotely?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38820207
The provider of the domain name has no connection to the SSL certificate issuer. If you are looking at network solutions then of course you will pay - someone has to pay for all the blanket advertising they do in Google et al.

GoDaddy or one of their resellers such as https://certificatesforexchange.com/ do the certificates for that price. The certificates are trusted by the major players, including the iPhone and other mobile devices. 5 names on the certificate and unlimited servers.

On the subject of the MX records, remember it is just DNS. Therefore you could setup a new host name pointing to the same IP address if you like. It doesn't have to match the domain. For example your domain could be example.com but the MX record mail.example.net.

It can all be done remotely using RDP. If you configure the firewall to allow port 3389 through, rather than using RWW that should maintain the connection while the changes are made. Another option would be to install something like Log Me In free, but doing that through RDP isn't advised.

Simon.
0
 

Author Comment

by:xzay1967
ID: 38820321
You are a genius Simon, I actually forgot I could use GoToAssist for the remote work. I think for consistency I will create an A record called mail.seconddomain.com on the external dns, then add a MX record entry called mail.seconddomain.com with a priority of 15 since the other (current) one is set to 10.  The current MX record points to IP of firstdomain.com and since she wants to totally dump the old one, I may go with a new record. That way the record will already be in place for when I add the cert, plus mail won't use the new one unless the one with the priority of 10 is not accessible. Your thoughts please. Thanks for the tip on the cert provider.
0
 

Author Comment

by:xzay1967
ID: 38820988
Ok so I went ahead and bought the cert, will generate the request once I change the domain name. Once I change the primary domain on SBS, does the current email function stop working i.e owa, outlook etc?  I am trying to get a feel of what to expect outage wise so I can prepare for it.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 38821732
You can do the request before changing the domain name.
Do the request using the Exchange 2010 certificate wizard, rather than the SBS wizard.
Then complete the request through Exchange 2010 but DO NOT activate any services.
When you are ready to change things, simply do so in SBS as advised. As soon as you have completed the change, run the SSL wizard in SBS and your new certificate will be available.

If you include the existing URL, the existing autodiscover.example.com in the certificate then the downtime will be measured in minutes.

That makes the full list (where example.com is the old domain, and example.co.uk is the new and you were using the "remote" name that SBS prefers):

remote.example.co.uk (common name)
remote.example.com
autodiscover.example.co.uk
autodiscover.example.com

Simon.
0
 

Author Comment

by:xzay1967
ID: 38822129
Thanks again for the detailed response Simon. I always thought that with SBS being to temperamental that not using the built in wizard was advised. This is Exchange 2007, so I will have to figure out how to request the cert via EMS. If not too much to ask, can you assist me with that as well? Here are what I would like in the SAN request:
mail.wtaylorrealestate.com <<<current domain
mail.taylorrealestate.com<<<< new domain
autodiscover.wtaylorrealestate.com
autodiscover.taylorrealestate.com
Not sure if I need to include the server name, but if I do, then its wtr-dc01.wtaylor.local
0
 

Author Comment

by:xzay1967
ID: 38822181
http://exchange.sembee.info/ I believe I found your site, I will follow the instructions. Do you still recommend including "Sites" in the SAN? I have generated the CSR using EMS:
Should I redo and include "Sites"? Only issue is I am only allowed 5 entries for the cert I purchased, if I have to include Sites, which can I remove and still be in the green?
New-ExchangeCertificate -GenerateRequest -Path c:\mail_taylorrealestate_com.csr -KeySize 2048 -SubjectName "c=US, s=TX, l=Houston, o=Taylor Real Estate Group Inc, cn=mail.taylorrealestate.com" -DomainName mail.taylorrealestate.com, mail.wtaylorrealestate.com, autodiscover.taylorrealestate.com, autodiscover.wtaylorrealestate.com, wtr-dc01.wtaylor.local -PrivateKeyExportable $True
0
 

Author Comment

by:xzay1967
ID: 38823651
First let me extend a million thanks for your help. I have performed the operation, and all went well except for one glitch. Now for some odd reason, when users launch Outlook internally, they are prompter with cert warning that reference the old domain. See screenshot. The cert does include the old domain as well as the new domain, so not sure what the problem is at this point.
mail.taylorrealestate.png
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 38835471
You must have a reference to the old domain somewhere in Exchange.
On my site I do have all of the places that could hold them listed.

It is part of this article.
http://exchange.sembee.info/2007/install/singlenamessl.asp

You will have to go through to see if the SBS wizard missed something.

As for running the wizards, I think you will find that most SBS experts will say run the wizards. The trick is knowing what information to put in and working with the wizards.

Simon.
0
 

Author Comment

by:xzay1967
ID: 38835590
My apologies Simon, I forgot to close this question and award you your points. I followed your article on the site you host, and got everything working. I was also able to solve the issue of the cert warning where it referenced the old domain. I simply set all the internal uri for the ews, owa and oab to the exteral uri. Thanks again for everything.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now