Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Exchange 2013 cert with local domain we do not own

Posted on 2013-02-06
Medium Priority
Last Modified: 2013-02-08
Greetings Experts,

I have a unique problem.  I'm adding Exchange 2013 to a clients existing environment.  Problem is that the domain that was originally setup is:, which we do not own and is unavailable.

I have created an external certificate for the correct domain,, and it is working fine with OWA.
Problem is that Internal outlook clients are getting a cert error for  

I'm guessing you can get around this with an internal cert?  I just set one up, but I'm still getting the error when I start outlook.

does anyone know how to get around  this?  I'm guessing Outlook is only looking at the cert that has the default SMTP service set on it, which is the remote cert.

Any help would be appreciated,
Question by:kaceyjames
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 49

Expert Comment

ID: 38860165
the correct way is to use split dns  and use only your external certificate

Author Comment

ID: 38862317
thanks Akhater,

I think I'm missing something.  I'm still getting the cert error when I start Outlook.  It says the name on the cert does not match the name of the site.

I did what the article said, created a new forward zone, outside the ad.  used the name of the internal mail server:
created A record  with internal ip of exch1 and left name blank.  

What if I try this:
1. go into exch admin center, change the outlook anywhere internal name to the external name which is on the certificate:  
2. go into DNS, create a new Forward zone for
3. point to internal ip of exchange server
4. point www, and any other external cnames to the correct external ip.

You think that will work?

by the way, the new DNS zone did not appear in my other DNS servers, I'm assuming thats due to not being an AD DNS zone?  I haven't made one of those before.  I waited a bit, so replication should of happened.
Just want to give all the info.

Thanks for any help.
LVL 49

Expert Comment

ID: 38862597
You did good however a few questions

what do you mean by "  used the name of the internal mail server:
created A record  with internal ip of exch1 and left name blank.  " the zone you create you should be and not

yes for the rest you should change all internal names to the external but not only outlook anywhere this should be also done for
OWA/ECP/OAB/ActiveSync/EWS and autodiscover
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 38864935
Changed all internal names to except autodiscover default web site, it only asks for server, which is the netbios name of internal server.  It does not allow you to edit.  

what I did:
1. deleted zone
2. created new zone
3. added blank a record in new zone pointing to internal mail server
4. updated DNS, flushdns
5. on client flushdns, if I ping, it pings internal server
6. still received cert

so do i need to take control of the entire domain via my DNS like I described in previous post?

What I'm trying to figure out is how to tell outlook to look for, not  I'm guessing it has something to do with autodiscovery.

Thanks for any help,
LVL 49

Expert Comment

ID: 38865215
no you did great again

let me ask you how did you change the internal names ?


Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

is it pointing to the if so please change it using

Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri

Author Comment

ID: 38866616
no, in the exchange admin gui, there is a virtual folders section.  I manually changed them.
LVL 49

Accepted Solution

Akhater earned 2000 total points
ID: 38867188
ok no problem but you cannot change the autodiscover from the GUI

run the commmands i gave you

Author Closing Comment

ID: 38868762
Thank you so much for your help.. It worked.. so here is the official procedure:

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert:
2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.
3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name:
4. you can not change autodiscover from GUI - open shell and put in:
Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri

CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri
5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert:
6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to.  I checked my other DNS servers, and the zone did not replicate, I'm guessing due to it not being an AD zone.. not sure about this, maybe have to add to each internal DNS?

That did it for me, opened outlook and no more Cert error.
LVL 49

Expert Comment

ID: 38868951
glad to know it worked

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question