Solved

Exchange 2013 cert with local domain we do not own

Posted on 2013-02-06
9
647 Views
Last Modified: 2013-02-08
Greetings Experts,

I have a unique problem.  I'm adding Exchange 2013 to a clients existing environment.  Problem is that the domain that was originally setup is:  xxx.org, which we do not own and is unavailable.

I have created an external certificate for the correct domain, yyy.org, and it is working fine with OWA.
Problem is that Internal outlook clients are getting a cert error for mail.xxx.org.  

I'm guessing you can get around this with an internal cert?  I just set one up, but I'm still getting the error when I start outlook.

does anyone know how to get around  this?  I'm guessing Outlook is only looking at the cert that has the default SMTP service set on it, which is the remote cert.

Any help would be appreciated,
Kacey
0
Comment
Question by:kaceyjames
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 38860165
the correct way is to use split dns  and use only your external certificate
http://exchange.sembee.info/network/split-dns.asp
0
 

Author Comment

by:kaceyjames
ID: 38862317
thanks Akhater,

I think I'm missing something.  I'm still getting the cert error when I start Outlook.  It says the name on the cert does not match the name of the site.

I did what the article said, created a new forward zone, outside the ad.  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  

What if I try this:
1. go into exch admin center, change the outlook anywhere internal name to the external name which is on the certificate: remote.yyy.org.  
2. go into DNS, create a new Forward zone for yyy.org
3. point remote.yyy.org to internal ip of exchange server
4. point www, and any other external cnames to the correct external ip.

You think that will work?

by the way, the new DNS zone did not appear in my other DNS servers, I'm assuming thats due to not being an AD DNS zone?  I haven't made one of those before.  I waited a bit, so replication should of happened.
Just want to give all the info.

Thanks for any help.
Kacey
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38862597
You did good however a few questions

what do you mean by "  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  " the zone you create you should be yyy.org and not xxx.org

yes for the rest you should change all internal names to the external remote.yyy.org but not only outlook anywhere this should be also done for
OWA/ECP/OAB/ActiveSync/EWS and autodiscover
0
 

Author Comment

by:kaceyjames
ID: 38864935
Changed all internal names to remote.yyy.org except autodiscover default web site, it only asks for server, which is the netbios name of internal server.  It does not allow you to edit.  

what I did:
1. deleted exch1.xxx.org zone
2. created new zone remote.yyy.org
3. added blank a record in new zone pointing to internal mail server
4. updated DNS, flushdns
5. on client flushdns, if I ping remote.yyy.org, it pings internal server
6. still received cert

so do i need to take control of the entire yyy.org domain via my DNS like I described in previous post?

What I'm trying to figure out is how to tell outlook to look for remote.yyy.org, not exch1.xxx.org.  I'm guessing it has something to do with autodiscovery.

Thanks for any help,
Kacey
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 49

Expert Comment

by:Akhater
ID: 38865215
no you did great again

let me ask you how did you change the internal names ?

run

Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

is it pointing to the xxx.org if so please change it using

Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/.............
0
 

Author Comment

by:kaceyjames
ID: 38866616
no, in the exchange admin gui, there is a virtual folders section.  I manually changed them.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 38867188
ok no problem but you cannot change the autodiscover from the GUI

run the commmands i gave you
0
 

Author Closing Comment

by:kaceyjames
ID: 38868762
Thank you so much for your help.. It worked.. so here is the official procedure:

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert:  remote.yyy.org
2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.
3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name:  https://remote.yyy.org/xxx
4. you can not change autodiscover from GUI - open shell and put in:
Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/autodiscover/autodiscover.xml

CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri
5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org
6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to.  I checked my other DNS servers, and the zone did not replicate, I'm guessing due to it not being an AD zone.. not sure about this, maybe have to add to each internal DNS?

That did it for me, opened outlook and no more Cert error.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38868951
glad to know it worked
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now