Link to home
Start Free TrialLog in
Avatar of Kacey Fern
Kacey FernFlag for United States of America

asked on

Exchange 2013 cert with local domain we do not own

Greetings Experts,

I have a unique problem.  I'm adding Exchange 2013 to a clients existing environment.  Problem is that the domain that was originally setup is:  xxx.org, which we do not own and is unavailable.

I have created an external certificate for the correct domain, yyy.org, and it is working fine with OWA.
Problem is that Internal outlook clients are getting a cert error for mail.xxx.org.  

I'm guessing you can get around this with an internal cert?  I just set one up, but I'm still getting the error when I start outlook.

does anyone know how to get around  this?  I'm guessing Outlook is only looking at the cert that has the default SMTP service set on it, which is the remote cert.

Any help would be appreciated,
Kacey
Avatar of Akhater
Akhater
Flag of Lebanon image

the correct way is to use split dns  and use only your external certificate
http://exchange.sembee.info/network/split-dns.asp
Avatar of Kacey Fern

ASKER

thanks Akhater,

I think I'm missing something.  I'm still getting the cert error when I start Outlook.  It says the name on the cert does not match the name of the site.

I did what the article said, created a new forward zone, outside the ad.  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  

What if I try this:
1. go into exch admin center, change the outlook anywhere internal name to the external name which is on the certificate: remote.yyy.org.  
2. go into DNS, create a new Forward zone for yyy.org
3. point remote.yyy.org to internal ip of exchange server
4. point www, and any other external cnames to the correct external ip.

You think that will work?

by the way, the new DNS zone did not appear in my other DNS servers, I'm assuming thats due to not being an AD DNS zone?  I haven't made one of those before.  I waited a bit, so replication should of happened.
Just want to give all the info.

Thanks for any help.
Kacey
You did good however a few questions

what do you mean by "  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  " the zone you create you should be yyy.org and not xxx.org

yes for the rest you should change all internal names to the external remote.yyy.org but not only outlook anywhere this should be also done for
OWA/ECP/OAB/ActiveSync/EWS and autodiscover
Changed all internal names to remote.yyy.org except autodiscover default web site, it only asks for server, which is the netbios name of internal server.  It does not allow you to edit.  

what I did:
1. deleted exch1.xxx.org zone
2. created new zone remote.yyy.org
3. added blank a record in new zone pointing to internal mail server
4. updated DNS, flushdns
5. on client flushdns, if I ping remote.yyy.org, it pings internal server
6. still received cert

so do i need to take control of the entire yyy.org domain via my DNS like I described in previous post?

What I'm trying to figure out is how to tell outlook to look for remote.yyy.org, not exch1.xxx.org.  I'm guessing it has something to do with autodiscovery.

Thanks for any help,
Kacey
no you did great again

let me ask you how did you change the internal names ?

run

Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

is it pointing to the xxx.org if so please change it using

Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/.............
no, in the exchange admin gui, there is a virtual folders section.  I manually changed them.
ASKER CERTIFIED SOLUTION
Avatar of Akhater
Akhater
Flag of Lebanon image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you so much for your help.. It worked.. so here is the official procedure:

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert:  remote.yyy.org
2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.
3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name:  https://remote.yyy.org/xxx
4. you can not change autodiscover from GUI - open shell and put in:
Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/autodiscover/autodiscover.xml

CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri
5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org
6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to.  I checked my other DNS servers, and the zone did not replicate, I'm guessing due to it not being an AD zone.. not sure about this, maybe have to add to each internal DNS?

That did it for me, opened outlook and no more Cert error.
glad to know it worked