• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 724
  • Last Modified:

Exchange 2013 cert with local domain we do not own

Greetings Experts,

I have a unique problem.  I'm adding Exchange 2013 to a clients existing environment.  Problem is that the domain that was originally setup is:  xxx.org, which we do not own and is unavailable.

I have created an external certificate for the correct domain, yyy.org, and it is working fine with OWA.
Problem is that Internal outlook clients are getting a cert error for mail.xxx.org.  

I'm guessing you can get around this with an internal cert?  I just set one up, but I'm still getting the error when I start outlook.

does anyone know how to get around  this?  I'm guessing Outlook is only looking at the cert that has the default SMTP service set on it, which is the remote cert.

Any help would be appreciated,
Kacey Fern
Kacey Fern
  • 5
  • 4
1 Solution
the correct way is to use split dns  and use only your external certificate
Kacey FernSystem EngineerAuthor Commented:
thanks Akhater,

I think I'm missing something.  I'm still getting the cert error when I start Outlook.  It says the name on the cert does not match the name of the site.

I did what the article said, created a new forward zone, outside the ad.  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  

What if I try this:
1. go into exch admin center, change the outlook anywhere internal name to the external name which is on the certificate: remote.yyy.org.  
2. go into DNS, create a new Forward zone for yyy.org
3. point remote.yyy.org to internal ip of exchange server
4. point www, and any other external cnames to the correct external ip.

You think that will work?

by the way, the new DNS zone did not appear in my other DNS servers, I'm assuming thats due to not being an AD DNS zone?  I haven't made one of those before.  I waited a bit, so replication should of happened.
Just want to give all the info.

Thanks for any help.
You did good however a few questions

what do you mean by "  used the name of the internal mail server:  exch1.xxx.org
created A record  with internal ip of exch1 and left name blank.  " the zone you create you should be yyy.org and not xxx.org

yes for the rest you should change all internal names to the external remote.yyy.org but not only outlook anywhere this should be also done for
OWA/ECP/OAB/ActiveSync/EWS and autodiscover
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Kacey FernSystem EngineerAuthor Commented:
Changed all internal names to remote.yyy.org except autodiscover default web site, it only asks for server, which is the netbios name of internal server.  It does not allow you to edit.  

what I did:
1. deleted exch1.xxx.org zone
2. created new zone remote.yyy.org
3. added blank a record in new zone pointing to internal mail server
4. updated DNS, flushdns
5. on client flushdns, if I ping remote.yyy.org, it pings internal server
6. still received cert

so do i need to take control of the entire yyy.org domain via my DNS like I described in previous post?

What I'm trying to figure out is how to tell outlook to look for remote.yyy.org, not exch1.xxx.org.  I'm guessing it has something to do with autodiscovery.

Thanks for any help,
no you did great again

let me ask you how did you change the internal names ?


Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

is it pointing to the xxx.org if so please change it using

Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/.............
Kacey FernSystem EngineerAuthor Commented:
no, in the exchange admin gui, there is a virtual folders section.  I manually changed them.
ok no problem but you cannot change the autodiscover from the GUI

run the commmands i gave you
Kacey FernSystem EngineerAuthor Commented:
Thank you so much for your help.. It worked.. so here is the official procedure:

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert:  remote.yyy.org
2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.
3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name:  https://remote.yyy.org/xxx
4. you can not change autodiscover from GUI - open shell and put in:
Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri https://remote.yyy.org/autodiscover/autodiscover.xml

CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri
5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org
6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to.  I checked my other DNS servers, and the zone did not replicate, I'm guessing due to it not being an AD zone.. not sure about this, maybe have to add to each internal DNS?

That did it for me, opened outlook and no more Cert error.
glad to know it worked
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now