Solved

Exchange 2013 cert with local domain we do not own

Posted on 2013-02-06
9
672 Views
Last Modified: 2013-02-08
Greetings Experts,

I have a unique problem.  I'm adding Exchange 2013 to a clients existing environment.  Problem is that the domain that was originally setup is:  xxx.org, which we do not own and is unavailable.

I have created an external certificate for the correct domain, yyy.org, and it is working fine with OWA.
Problem is that Internal outlook clients are getting a cert error for mail.xxx.org.  

I'm guessing you can get around this with an internal cert?  I just set one up, but I'm still getting the error when I start outlook.

does anyone know how to get around  this?  I'm guessing Outlook is only looking at the cert that has the default SMTP service set on it, which is the remote cert.

Any help would be appreciated,
Kacey
0
Comment
Question by:kaceyjames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 38860165
the correct way is to use split dns  and use only your external certificate
http://exchange.sembee.info/network/split-dns.asp
0
 

Author Comment

by:kaceyjames
ID: 38862317
thanks Akhater,

I think I'm missing something.  I'm still getting the cert error when I start Outlook.  It says the name on the cert does not match the name of the site.

I did what the article said, created a new forward zone, outside the ad.  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  

What if I try this:
1. go into exch admin center, change the outlook anywhere internal name to the external name which is on the certificate: remote.yyy.org.  
2. go into DNS, create a new Forward zone for yyy.org
3. point remote.yyy.org to internal ip of exchange server
4. point www, and any other external cnames to the correct external ip.

You think that will work?

by the way, the new DNS zone did not appear in my other DNS servers, I'm assuming thats due to not being an AD DNS zone?  I haven't made one of those before.  I waited a bit, so replication should of happened.
Just want to give all the info.

Thanks for any help.
Kacey
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38862597
You did good however a few questions

what do you mean by "  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  " the zone you create you should be yyy.org and not xxx.org

yes for the rest you should change all internal names to the external remote.yyy.org but not only outlook anywhere this should be also done for
OWA/ECP/OAB/ActiveSync/EWS and autodiscover
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:kaceyjames
ID: 38864935
Changed all internal names to remote.yyy.org except autodiscover default web site, it only asks for server, which is the netbios name of internal server.  It does not allow you to edit.  

what I did:
1. deleted exch1.xxx.org zone
2. created new zone remote.yyy.org
3. added blank a record in new zone pointing to internal mail server
4. updated DNS, flushdns
5. on client flushdns, if I ping remote.yyy.org, it pings internal server
6. still received cert

so do i need to take control of the entire yyy.org domain via my DNS like I described in previous post?

What I'm trying to figure out is how to tell outlook to look for remote.yyy.org, not exch1.xxx.org.  I'm guessing it has something to do with autodiscovery.

Thanks for any help,
Kacey
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38865215
no you did great again

let me ask you how did you change the internal names ?

run

Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

is it pointing to the xxx.org if so please change it using

Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/.............
0
 

Author Comment

by:kaceyjames
ID: 38866616
no, in the exchange admin gui, there is a virtual folders section.  I manually changed them.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 38867188
ok no problem but you cannot change the autodiscover from the GUI

run the commmands i gave you
0
 

Author Closing Comment

by:kaceyjames
ID: 38868762
Thank you so much for your help.. It worked.. so here is the official procedure:

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert:  remote.yyy.org
2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.
3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name:  https://remote.yyy.org/xxx
4. you can not change autodiscover from GUI - open shell and put in:
Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/autodiscover/autodiscover.xml

CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri
5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org
6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to.  I checked my other DNS servers, and the zone did not replicate, I'm guessing due to it not being an AD zone.. not sure about this, maybe have to add to each internal DNS?

That did it for me, opened outlook and no more Cert error.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38868951
glad to know it worked
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question