I have Exchange 2013 CU3 running on Server 2012 Standard with both CAS and Mailbox roles. I have on more than one occasion read about hiding the actual netbios host name of the server and keeping it off the public certificate. One example is this article: http://exchangeserverpro.com/avoiding-exchange-2013-server-names-ssl-certificates/
Things were running pretty good (save for some ActiveSync issues) but I am nervous about having the host name listed in public DNS so off I go on this effort of changing things over to the generic mail.mydomain.com. I changed the EHLO on the Send Connector. I tried to change the EHLO on the five Receive connectors but three of them would not take the change and it appears there is no way to change them. I believe it was Client Proxy, Default Server, and Default Frontend Server (I only use the default connectors). I changed my SMTP banner so it won't show there. DNS records show the generic name. I re-keyed the certificate at GoDaddy and took off the host name. All virtual directories were changed to have the same internal and external urls of mail.mydomain.com. I made changes to internal DNS to make sure mail.mydomain.com and autodiscover.mydomain.com point to the IP of the server. I also take off the detailed routing information in the headers so the host name would not show there either.
I ran Windows Update and some updates came down including KB2880833. I rebooted.
I log back in and now I do not have access to the Exchange Power Shell as it does not see the server. I tried to have it go to mail.mydomain.com and still errors out. WinRM can't resolve hostname. I go to https://mail.mydomain.com/ecp or owa and login and get a blank page. If I substitute the host name I get the red certificate warning and I click to go on and same thing I get the blank page. Changing the cert has completely demolished this installation. IMAP, ActiveSync, OutlookAnywhere, and even Outlook connecting up to the server is all failing. Good thing this is a small installation in the start up phase.
Well we all get desperate so after some troubleshooting and nothing working I tried to delete the virtual directories in the Default Website in IIS and rebuild them manually. No go...in fact now I am in worse shape and getting the 403 error and no site at all (I did not say this was going to be easy !).
Obviously my first question is where do I go from here ? Anyone know of a way to rebuild the virtual directories successfully in IIS or other tools ?
My second question is do I forget the plan to try to hide the host name of the server ? I could re-key the certificate again and put the host name back into it. I am not keen on this idea but if that's what I have to do to get this working again then that's it. I do have some decent security with endpoint protection and Malware protection on the mail server itself and behind some Cisco gear. I know...you can never be secure enough.
The fallback is that I have two images of this server before all the problems. Both of them might pre-date CU3 but I could always reinstall that to match the schema changes made in Active Directory. I re-keyed the cert on 1/17 so both images pre-date change as well I could install a new certificate pretty quickly after the re-image. Any assistance you can give me is much appreciated ! Thank you.