Solved

SSL issue, migration from Ex2k7 to Ex2k13 - old AD domain name...

Posted on 2013-05-13
24
344 Views
Last Modified: 2013-07-03
In the process of migrating from Exchange 2007 to Exchange 2013 for a private school.

I've set up Ex2k13, migrated a former employees mailbox to 2013, and OWA/mail flow working fine.


Original AD domain is: old-school.org (this would be domain.local in generic examples)
Current email domain we are using is: newschool.org

Existing 2007 Exchange server name: emailserver
New 2013 Exchange server name: EX01




But Outlook 2010 for the migrated user:

Issue one:
When Outlook is started, I get the username/password box.
Note - the title of the box shows the old server name:
Connecting to: emailserver.newschool.org

Username and password rejected, but as I keep entering it, a Security Alert pops up:


Security Alert
EX01.old-school.org

<check> The security cert. is from a trusted cert. authority.
<check> The security cert. date is valid.
<red X> The name on the security cert. is invalid or does not match the name of the site.


When I view certificate details:

Subject Alternative Name:
DNS name = owa.newschool.org
DNS name = www.owa.newschool.org
DNS name = autodiscover.newschool.org
DNS name = EX01.newschool.org

It seems to me a start is to get the EX01.old-school.org to be seen as EX01.newschool.org

So how to do this?

Once that is done, I guess updating autodiscover internally to point to the news server is in order (after I've moved mailboxes.)
0
Comment
Question by:toddtx
  • 13
  • 11
24 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39161569
It isn't clear from your question - are you going cross forest or is this a regular migration on the same Windows Domain and Exchange org?

Simon.
0
 

Author Comment

by:toddtx
ID: 39161587
It is a regular migration. All existing internal AD domain activities (joining computers, etc. use old-school.org). The school did a rebranding six years ago and the email domain is now newschool.org. When Outlook 2010 came out, we had a few minor SSL issues at the time, but we were able to resolve them pretty easily.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39161652
That is fine. That just means you need to configure everything internally correctly.
You will need a split DNS system and then reconfigure Exchange to use the same host name internally and externally. Autodiscover on both servers can use the same host name.

Split DNS: http://semb.ee/splitdns
Host Names in Exchange: http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:toddtx
ID: 39175196
I have added a new Forward Lookup Zone: owa.newschool.org

tracert owa.newschool.org
Tracing route to owa.newschool.org [192.168.10.10]
over a maximum of 30 hops
1 1 ms < 1 ms < 1ms EX01.old-school.org [192.168.10.10]

Trace complete.

Open in new window


When I start Outlook 2010, Outlook's password prompt title still shows the old server name.

Also, when I click cancel on that, and look at Outlook's account settings, the server name is really weird:
e700bd6d-389f-35of-c2da541a52c@newschool.org
0
 

Author Comment

by:toddtx
ID: 39175228
In the Exchange admin center > virtual directories

For Autodiscover (Default Web Site) what should be in the Server: box ?
Right now mine says just

EX01
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39176059
Don't touch the Autodiscover virtual directory configuration - you don't have to modify that at all. Follow the instructions I have provided in the links above - nothing else has to be changed.

Simon.
0
 

Author Comment

by:toddtx
ID: 39191937
Will try it out this weekend.
0
 

Author Comment

by:toddtx
ID: 39219743
Question about these instructions...

http://exchange.sembee.info/network/split-dns.asp

Configuration Instructions - Single Host Replacement

Setting up a New Zone


1. On your primary DNS server, start the DNS administration tool.
2. Right click on the server and choose New Zone.
3. Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated (you may have to deselect an option).
4. When asked for the domain name, enter the host that you want to replace.
For example if you want to replace owa.example.com then you would enter owa.example.com.
[In my example, I am wanting to replace EX01.old-school.org, correct?]
5. Accept the option about creating a file.
6. As this is not an AD integrated zone, disable dynamic updates.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39220749
No.
The step you have pointed to allow you to use the same host name internally as externally.
So if owa.example.com resolves to an external IP address, using the split DNS system you resolve it to an internal IP address.

What you want to do is change the Exchange configuration to use the same host name internally and externally via split DNS so that the real name of the Exchange server is not used anywhere.

Simon.
0
 

Author Comment

by:toddtx
ID: 39237683
Simon,

Should I run that script at the bottom of your second link on the new server? Will that take care of the SSL error?

http://exchange.sembee.info/2010/install/clientaccesshostnames.asp

Todd
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39240653
As long as you have the DNS entries in place, then the script will allow the external names to be used internally and would stop SSL prompts. That is what it is designed for.

Simon.
0
 

Author Comment

by:toddtx
ID: 39244223
Thanks! Alternatively, would just getting a Multiple Domain (UCC) SSL Certificate work too?

(Wondering if I'm being penny-wise, pound-foolish)
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39245014
UC certifcate is the prefered solution. You would still need to make changes though, as you ideally want to eliminate the old domain from use.

Simon.
0
 

Author Comment

by:toddtx
ID: 39261047
Thanks Simon. I now have a UCC with the correct names, and I ran the script but got this error message:

[PS] C:\>.\Script.ps1
You can't make this change because 'CN=EMAILSERVER,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ADDOMAIN>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=old-school,DC=org' is read-only to the current version of Exchange.
    + CategoryInfo          : InvalidOperation: (:) [Set-ClientAccessServer], CannotModifyCrossVersionObjectException
    + FullyQualifiedErrorId : 61F56F56,Microsoft.Exchange.Management.SystemConfigurationTasks.SetClientAccessServer
    + PSComputerName        : ex01.old-school.org

Open in new window

0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39264617
What script were you running?
The error means what it says, so you may have to run it on the Exchange 2007 server to get it to take correctly.

Simon.
0
 

Author Comment

by:toddtx
ID: 39265878
I was running the script on the new server EX01. The old server is EMAILSERVER.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39265918
Have the changes been made to the new server correctly? If so then you can probably ignore that error.

Simon.
0
 

Author Comment

by:toddtx
ID: 39266114
I believe so. The current symptom is the migrated user's Outlook 2010 will not connect to the new server. The "Enter your credentials" box pops up saying "Connecting to emailserver.newschool.org" and does not take the login. Note existing users and the old server is running fine.

Would the Results and Log of "Test E-mail AutoConfiguration" shed any light?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39270851
Primary reason for authentication prompts isn't actually authentication - it is SSL certificate issues. Outlook cannot cope with the prompts if you have a host name incorrect and therefore throws up the authentication prompt.

Do you have any mailboxes on the old server still? If not then remove the server using add/remove programs.

Simon.
0
 

Author Comment

by:toddtx
ID: 39271249
Yes, the old server is in production!

My goal was to verify the new server was working with the Outlook client (Outlook Web Access/App works fine) but I guess this is not possible.

So, will I just need to migrate all the mailboxes over and take it from there?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39278477
That may well be the best option. You could look at reconfiguring the old server so the settings match the new server or something like that, but if the plan is to move everything anyway, just press ahead and do that.

Simon.
0
 

Author Comment

by:toddtx
ID: 39291716
Simon, thanks for your help.
At this point, I could update the title to read: OWA and Activesync work, Outlook 2010 will not connect to Exchange 2013.
I have migrated all mailboxes to Exchange 2013, and the summer staff are using Outlook Web App for the moment.

I ran Test E-mail Autoconfiguration (and edited it to reflect newschool.org and old-school.org (newssschool.org and old-shol.org to fit) and uploaded the picture. (It's a bummer you can't export that info.)

What stands out to me is the red 1 and 2 - the server name should be EX01.old-school.org to fit with the cert, no?

Note 1: Any change I make to the Outlook 2010 Client Account Configuration is "erased" every time by autodiscover (I presume), and
Note 2 : I have not run the aforementioned script - is there still a need to?
Note 3. No SSL alerts or errors for OWA.

Test E-mail Autoconfiguration
0
 

Author Comment

by:toddtx
ID: 39295036
Update:
I've made some changes, and the above is changed to reflect this:

Server: EX01.old-school.org
Certificate Principal name: msstd:ex01.old-school.org



Now the symptom is just being prompted for the password ad infinitum.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39296754
Authentication prompts are usually caused by one of two things. SSL issues - where the host name doesn't match, or there are authentication configuration issues within Exchange (if internal) or a firewall is breaking things (External). No single fix.

Your best option may well be to ask a seperate question, as this one has deviated from the original.

Simon.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now