Solved

How to re-configure exchange to use FQDN instead of local hostname

Posted on 2014-11-08
12
1,174 Views
Last Modified: 2014-11-09
I went to renew my UCC SSL cert and come to find out that I can no longer use the local host name of my exchange server. I have removed the local host name from the cert and now I'm getting the "Server doesn't match the names on the certificate pop-up" I have multiple names on this certificate in order to provide mail to multiple clients. Of course, all of the clients are getting the cert pop-up. I know that the steps I need to take are the following:

1. Change the local hostname of the exchange server to a FQDN. I can see multiple places where the local hostname is located in Exchange that will need to be changed to the new FQDN.

2. Add the new FQDN to SSL.

3. Install new cert.

4. Move on to the next problem.

However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Current Exchange server name:

testex5.aandocomputer.local     (this is an example)

Localhost names that were removed:

testex5.aandocomputer.local
aandocomputer.local

Proposed FQDN: testex5.aandocomputer.com    (this is an example)

Current SSL domains:

mail.exchangeclient1.com
mail.exchangeclient2.com
mail.exchangeclient3.com
mail.exchangeclient4.com
mail.exchangeclient5.com
aandocomputer.com
autodiscover.aandocomputer.com

Resources I have used:

http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/

https://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name

http://exchangekb.com/tag/invalid-fully-qualified-domain-name-such-as-local/
0
Comment
Question by:aando
  • 6
  • 5
12 Comments
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40430885
However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

 By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Sounds like external access was never configured on Exchange.

If you go to EMC >> Organization Configuration >> Hub Transport >>
Accepted Domains. What do you have listed here?

Any external (not .local) FQDNs? If so, I would look at using one of those for both the internal and external URLs. Then get a cert with that domain name on it. Create the appropriate DNS records and make sure those are listed on the cert. Then configure split-brain DNS like the articles state.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 40430918
If I understand correctly your problem is mainly with client access. This is done via internal (for LAN) virtual directories and external (WAN) virtual directories in Exchange 2010 and 2013.

For the Exchange server you can't change the name, what you can do is change the name it presents internally and externally. (Can be different) and you will want to make sure the SMTP is correctly configured to match your reverse DNS too.

Here is a general article on your problem:
http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Here is one about manually renaming the Virtual Directories
http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
http://dougg.co.nz/2013/02/26/set-the-exchange-2010-virtual-directory-namespaces/

Here are some scripts that help to do this in a more automatic way
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
http://msunified.net/2010/05/07/script-for-configuring-exchange-2010-internal-and-external-urls/
0
 

Author Comment

by:aando
ID: 40430938
Update! I followed your guide Gareth and everything was going smoothly until I checked the external access to OWA. It doesn't seem to be resolving. It does function properly internally. I have the new FQDN pointed to a public IP that is NAT'd to the internal IP of the exchange server. OWA was resolving externally with the new FQDN before I made all the changes to exchange. Outlook clients (internal and external) will not connect to the server using the new FQDN for the server. Would I still need to use the old server name in outlook?

As for the "accepted domains" there are many, but there is one missing and it is the one I just created. I have added that as an authoritative and set it as default.

The SSL cert installed already includes the new FQDN that I have created.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 40430944
Just was looking over your originally post. Are you in a multi-tenant model?
0
 

Author Comment

by:aando
ID: 40430945
I'm not sure of what you mean by multi-tenant. We have 2 exchange servers with one CAS on the main exchange server serving multiple different clients. Of which, all have their own OWA address that is still working externally.
0
 

Author Comment

by:aando
ID: 40430951
Update! It seems that the original issue with the cert pop-up has been fixed by following your guide. I'm still not sure why i can't reach OWA by using the new domain name but it's not very relevant as none of our clients will be connecting to OWA using that address.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 40430955
From your definition it sounds like you are multi-tenant. I assume by "clients" you mean customers and not types of software. So, to confirm you host multiple customers in your Exchange environment. Just making sure.

Unfortunately, my article isn't really catered towards multi-tenancy. What names were on the old certificate? Did it have any external names on it? Besides the .locals? Normally in multi-tenancy you have one generic URL that is used for autodiscover, etc.
0
 

Author Comment

by:aando
ID: 40430960
Yes, multiple customers. The old certificate only had two .local names, the server name and the local domain. all the others were external names. The cert only has one url for autodiscover,  autodiscover.aandocomputer.com.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 40430965
What FQDN did you end up configuring for the Exchange URLs? I am assuming it was something.aandocomputer.com? Which also existed on the certificate?
0
 

Author Comment

by:aando
ID: 40430974
Yes, I ended up using a aandocomputer.com FQDN that already existed on the cert but wasn't being used yet. So far everything seems to be working correctly. Thanks for all the help!
0
 

Author Closing Comment

by:aando
ID: 40430975
Great guide!
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 40430983
Awesome.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now