• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

SSL issue, migration from Ex2k7 to Ex2k13 - old AD domain name...

In the process of migrating from Exchange 2007 to Exchange 2013 for a private school.

I've set up Ex2k13, migrated a former employees mailbox to 2013, and OWA/mail flow working fine.


Original AD domain is: old-school.org (this would be domain.local in generic examples)
Current email domain we are using is: newschool.org

Existing 2007 Exchange server name: emailserver
New 2013 Exchange server name: EX01




But Outlook 2010 for the migrated user:

Issue one:
When Outlook is started, I get the username/password box.
Note - the title of the box shows the old server name:
Connecting to: emailserver.newschool.org

Username and password rejected, but as I keep entering it, a Security Alert pops up:


Security Alert
EX01.old-school.org

<check> The security cert. is from a trusted cert. authority.
<check> The security cert. date is valid.
<red X> The name on the security cert. is invalid or does not match the name of the site.


When I view certificate details:

Subject Alternative Name:
DNS name = owa.newschool.org
DNS name = www.owa.newschool.org
DNS name = autodiscover.newschool.org
DNS name = EX01.newschool.org

It seems to me a start is to get the EX01.old-school.org to be seen as EX01.newschool.org

So how to do this?

Once that is done, I guess updating autodiscover internally to point to the news server is in order (after I've moved mailboxes.)
0
toddtx
Asked:
toddtx
  • 13
  • 11
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
It isn't clear from your question - are you going cross forest or is this a regular migration on the same Windows Domain and Exchange org?

Simon.
0
 
toddtxAuthor Commented:
It is a regular migration. All existing internal AD domain activities (joining computers, etc. use old-school.org). The school did a rebranding six years ago and the email domain is now newschool.org. When Outlook 2010 came out, we had a few minor SSL issues at the time, but we were able to resolve them pretty easily.
0
 
Simon Butler (Sembee)ConsultantCommented:
That is fine. That just means you need to configure everything internally correctly.
You will need a split DNS system and then reconfigure Exchange to use the same host name internally and externally. Autodiscover on both servers can use the same host name.

Split DNS: http://semb.ee/splitdns
Host Names in Exchange: http://semb.ee/hostnames

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
toddtxAuthor Commented:
I have added a new Forward Lookup Zone: owa.newschool.org

tracert owa.newschool.org
Tracing route to owa.newschool.org [192.168.10.10]
over a maximum of 30 hops
1 1 ms < 1 ms < 1ms EX01.old-school.org [192.168.10.10]

Trace complete.

Open in new window


When I start Outlook 2010, Outlook's password prompt title still shows the old server name.

Also, when I click cancel on that, and look at Outlook's account settings, the server name is really weird:
e700bd6d-389f-35of-c2da541a52c@newschool.org
0
 
toddtxAuthor Commented:
In the Exchange admin center > virtual directories

For Autodiscover (Default Web Site) what should be in the Server: box ?
Right now mine says just

EX01
0
 
Simon Butler (Sembee)ConsultantCommented:
Don't touch the Autodiscover virtual directory configuration - you don't have to modify that at all. Follow the instructions I have provided in the links above - nothing else has to be changed.

Simon.
0
 
toddtxAuthor Commented:
Will try it out this weekend.
0
 
toddtxAuthor Commented:
Question about these instructions...

http://exchange.sembee.info/network/split-dns.asp

Configuration Instructions - Single Host Replacement

Setting up a New Zone


1. On your primary DNS server, start the DNS administration tool.
2. Right click on the server and choose New Zone.
3. Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated (you may have to deselect an option).
4. When asked for the domain name, enter the host that you want to replace.
For example if you want to replace owa.example.com then you would enter owa.example.com.
[In my example, I am wanting to replace EX01.old-school.org, correct?]
5. Accept the option about creating a file.
6. As this is not an AD integrated zone, disable dynamic updates.
0
 
Simon Butler (Sembee)ConsultantCommented:
No.
The step you have pointed to allow you to use the same host name internally as externally.
So if owa.example.com resolves to an external IP address, using the split DNS system you resolve it to an internal IP address.

What you want to do is change the Exchange configuration to use the same host name internally and externally via split DNS so that the real name of the Exchange server is not used anywhere.

Simon.
0
 
toddtxAuthor Commented:
Simon,

Should I run that script at the bottom of your second link on the new server? Will that take care of the SSL error?

http://exchange.sembee.info/2010/install/clientaccesshostnames.asp

Todd
0
 
Simon Butler (Sembee)ConsultantCommented:
As long as you have the DNS entries in place, then the script will allow the external names to be used internally and would stop SSL prompts. That is what it is designed for.

Simon.
0
 
toddtxAuthor Commented:
Thanks! Alternatively, would just getting a Multiple Domain (UCC) SSL Certificate work too?

(Wondering if I'm being penny-wise, pound-foolish)
0
 
Simon Butler (Sembee)ConsultantCommented:
UC certifcate is the prefered solution. You would still need to make changes though, as you ideally want to eliminate the old domain from use.

Simon.
0
 
toddtxAuthor Commented:
Thanks Simon. I now have a UCC with the correct names, and I ran the script but got this error message:

[PS] C:\>.\Script.ps1
You can't make this change because 'CN=EMAILSERVER,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ADDOMAIN>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=old-school,DC=org' is read-only to the current version of Exchange.
    + CategoryInfo          : InvalidOperation: (:) [Set-ClientAccessServer], CannotModifyCrossVersionObjectException
    + FullyQualifiedErrorId : 61F56F56,Microsoft.Exchange.Management.SystemConfigurationTasks.SetClientAccessServer
    + PSComputerName        : ex01.old-school.org

Open in new window

0
 
Simon Butler (Sembee)ConsultantCommented:
What script were you running?
The error means what it says, so you may have to run it on the Exchange 2007 server to get it to take correctly.

Simon.
0
 
toddtxAuthor Commented:
I was running the script on the new server EX01. The old server is EMAILSERVER.
0
 
Simon Butler (Sembee)ConsultantCommented:
Have the changes been made to the new server correctly? If so then you can probably ignore that error.

Simon.
0
 
toddtxAuthor Commented:
I believe so. The current symptom is the migrated user's Outlook 2010 will not connect to the new server. The "Enter your credentials" box pops up saying "Connecting to emailserver.newschool.org" and does not take the login. Note existing users and the old server is running fine.

Would the Results and Log of "Test E-mail AutoConfiguration" shed any light?
0
 
Simon Butler (Sembee)ConsultantCommented:
Primary reason for authentication prompts isn't actually authentication - it is SSL certificate issues. Outlook cannot cope with the prompts if you have a host name incorrect and therefore throws up the authentication prompt.

Do you have any mailboxes on the old server still? If not then remove the server using add/remove programs.

Simon.
0
 
toddtxAuthor Commented:
Yes, the old server is in production!

My goal was to verify the new server was working with the Outlook client (Outlook Web Access/App works fine) but I guess this is not possible.

So, will I just need to migrate all the mailboxes over and take it from there?
0
 
Simon Butler (Sembee)ConsultantCommented:
That may well be the best option. You could look at reconfiguring the old server so the settings match the new server or something like that, but if the plan is to move everything anyway, just press ahead and do that.

Simon.
0
 
toddtxAuthor Commented:
Simon, thanks for your help.
At this point, I could update the title to read: OWA and Activesync work, Outlook 2010 will not connect to Exchange 2013.
I have migrated all mailboxes to Exchange 2013, and the summer staff are using Outlook Web App for the moment.

I ran Test E-mail Autoconfiguration (and edited it to reflect newschool.org and old-school.org (newssschool.org and old-shol.org to fit) and uploaded the picture. (It's a bummer you can't export that info.)

What stands out to me is the red 1 and 2 - the server name should be EX01.old-school.org to fit with the cert, no?

Note 1: Any change I make to the Outlook 2010 Client Account Configuration is "erased" every time by autodiscover (I presume), and
Note 2 : I have not run the aforementioned script - is there still a need to?
Note 3. No SSL alerts or errors for OWA.

Test E-mail Autoconfiguration
0
 
toddtxAuthor Commented:
Update:
I've made some changes, and the above is changed to reflect this:

Server: EX01.old-school.org
Certificate Principal name: msstd:ex01.old-school.org



Now the symptom is just being prompted for the password ad infinitum.
0
 
Simon Butler (Sembee)ConsultantCommented:
Authentication prompts are usually caused by one of two things. SSL issues - where the host name doesn't match, or there are authentication configuration issues within Exchange (if internal) or a firewall is breaking things (External). No single fix.

Your best option may well be to ask a seperate question, as this one has deviated from the original.

Simon.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 13
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now