Solved

How to re-configure exchange to use FQDN instead of local hostname

Posted on 2014-11-08
12
1,650 Views
Last Modified: 2014-11-09
I went to renew my UCC SSL cert and come to find out that I can no longer use the local host name of my exchange server. I have removed the local host name from the cert and now I'm getting the "Server doesn't match the names on the certificate pop-up" I have multiple names on this certificate in order to provide mail to multiple clients. Of course, all of the clients are getting the cert pop-up. I know that the steps I need to take are the following:

1. Change the local hostname of the exchange server to a FQDN. I can see multiple places where the local hostname is located in Exchange that will need to be changed to the new FQDN.

2. Add the new FQDN to SSL.

3. Install new cert.

4. Move on to the next problem.

However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Current Exchange server name:

testex5.aandocomputer.local     (this is an example)

Localhost names that were removed:

testex5.aandocomputer.local
aandocomputer.local

Proposed FQDN: testex5.aandocomputer.com    (this is an example)

Current SSL domains:

mail.exchangeclient1.com
mail.exchangeclient2.com
mail.exchangeclient3.com
mail.exchangeclient4.com
mail.exchangeclient5.com
aandocomputer.com
autodiscover.aandocomputer.com

Resources I have used:

http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/

https://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name

http://exchangekb.com/tag/invalid-fully-qualified-domain-name-such-as-local/
0
Comment
Question by:aando
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40430885
However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

 By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Sounds like external access was never configured on Exchange.

If you go to EMC >> Organization Configuration >> Hub Transport >> 
Accepted Domains. What do you have listed here?

Any external (not .local) FQDNs? If so, I would look at using one of those for both the internal and external URLs. Then get a cert with that domain name on it. Create the appropriate DNS records and make sure those are listed on the cert. Then configure split-brain DNS like the articles state.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 40430918
If I understand correctly your problem is mainly with client access. This is done via internal (for LAN) virtual directories and external (WAN) virtual directories in Exchange 2010 and 2013.

For the Exchange server you can't change the name, what you can do is change the name it presents internally and externally. (Can be different) and you will want to make sure the SMTP is correctly configured to match your reverse DNS too.

Here is a general article on your problem:
http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Here is one about manually renaming the Virtual Directories
http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
http://dougg.co.nz/2013/02/26/set-the-exchange-2010-virtual-directory-namespaces/

Here are some scripts that help to do this in a more automatic way
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
http://msunified.net/2010/05/07/script-for-configuring-exchange-2010-internal-and-external-urls/
0
 

Author Comment

by:aando
ID: 40430938
Update! I followed your guide Gareth and everything was going smoothly until I checked the external access to OWA. It doesn't seem to be resolving. It does function properly internally. I have the new FQDN pointed to a public IP that is NAT'd to the internal IP of the exchange server. OWA was resolving externally with the new FQDN before I made all the changes to exchange. Outlook clients (internal and external) will not connect to the server using the new FQDN for the server. Would I still need to use the old server name in outlook?

As for the "accepted domains" there are many, but there is one missing and it is the one I just created. I have added that as an authoritative and set it as default.

The SSL cert installed already includes the new FQDN that I have created.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430944
Just was looking over your originally post. Are you in a multi-tenant model?
0
 

Author Comment

by:aando
ID: 40430945
I'm not sure of what you mean by multi-tenant. We have 2 exchange servers with one CAS on the main exchange server serving multiple different clients. Of which, all have their own OWA address that is still working externally.
0
 

Author Comment

by:aando
ID: 40430951
Update! It seems that the original issue with the cert pop-up has been fixed by following your guide. I'm still not sure why i can't reach OWA by using the new domain name but it's not very relevant as none of our clients will be connecting to OWA using that address.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430955
From your definition it sounds like you are multi-tenant. I assume by "clients" you mean customers and not types of software. So, to confirm you host multiple customers in your Exchange environment. Just making sure.

Unfortunately, my article isn't really catered towards multi-tenancy. What names were on the old certificate? Did it have any external names on it? Besides the .locals? Normally in multi-tenancy you have one generic URL that is used for autodiscover, etc.
0
 

Author Comment

by:aando
ID: 40430960
Yes, multiple customers. The old certificate only had two .local names, the server name and the local domain. all the others were external names. The cert only has one url for autodiscover,  autodiscover.aandocomputer.com.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430965
What FQDN did you end up configuring for the Exchange URLs? I am assuming it was something.aandocomputer.com? Which also existed on the certificate?
0
 

Author Comment

by:aando
ID: 40430974
Yes, I ended up using a aandocomputer.com FQDN that already existed on the cert but wasn't being used yet. So far everything seems to be working correctly. Thanks for all the help!
0
 

Author Closing Comment

by:aando
ID: 40430975
Great guide!
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430983
Awesome.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2008 R2 has no more space on C: (OS) drive 21 96
wannacry ransomware virus 2008R2 6 96
Creating Recovery DB in Exchange 2010 3 32
GPO question 3 33
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question