Solved

How to re-configure exchange to use FQDN instead of local hostname

Posted on 2014-11-08
12
1,483 Views
Last Modified: 2014-11-09
I went to renew my UCC SSL cert and come to find out that I can no longer use the local host name of my exchange server. I have removed the local host name from the cert and now I'm getting the "Server doesn't match the names on the certificate pop-up" I have multiple names on this certificate in order to provide mail to multiple clients. Of course, all of the clients are getting the cert pop-up. I know that the steps I need to take are the following:

1. Change the local hostname of the exchange server to a FQDN. I can see multiple places where the local hostname is located in Exchange that will need to be changed to the new FQDN.

2. Add the new FQDN to SSL.

3. Install new cert.

4. Move on to the next problem.

However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Current Exchange server name:

testex5.aandocomputer.local     (this is an example)

Localhost names that were removed:

testex5.aandocomputer.local
aandocomputer.local

Proposed FQDN: testex5.aandocomputer.com    (this is an example)

Current SSL domains:

mail.exchangeclient1.com
mail.exchangeclient2.com
mail.exchangeclient3.com
mail.exchangeclient4.com
mail.exchangeclient5.com
aandocomputer.com
autodiscover.aandocomputer.com

Resources I have used:

http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/

https://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name

http://exchangekb.com/tag/invalid-fully-qualified-domain-name-such-as-local/
0
Comment
Question by:aando
  • 6
  • 5
12 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40430885
However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

 By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Sounds like external access was never configured on Exchange.

If you go to EMC >> Organization Configuration >> Hub Transport >> 
Accepted Domains. What do you have listed here?

Any external (not .local) FQDNs? If so, I would look at using one of those for both the internal and external URLs. Then get a cert with that domain name on it. Create the appropriate DNS records and make sure those are listed on the cert. Then configure split-brain DNS like the articles state.
0
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 40430918
If I understand correctly your problem is mainly with client access. This is done via internal (for LAN) virtual directories and external (WAN) virtual directories in Exchange 2010 and 2013.

For the Exchange server you can't change the name, what you can do is change the name it presents internally and externally. (Can be different) and you will want to make sure the SMTP is correctly configured to match your reverse DNS too.

Here is a general article on your problem:
http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Here is one about manually renaming the Virtual Directories
http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
http://dougg.co.nz/2013/02/26/set-the-exchange-2010-virtual-directory-namespaces/

Here are some scripts that help to do this in a more automatic way
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
http://msunified.net/2010/05/07/script-for-configuring-exchange-2010-internal-and-external-urls/
0
 

Author Comment

by:aando
ID: 40430938
Update! I followed your guide Gareth and everything was going smoothly until I checked the external access to OWA. It doesn't seem to be resolving. It does function properly internally. I have the new FQDN pointed to a public IP that is NAT'd to the internal IP of the exchange server. OWA was resolving externally with the new FQDN before I made all the changes to exchange. Outlook clients (internal and external) will not connect to the server using the new FQDN for the server. Would I still need to use the old server name in outlook?

As for the "accepted domains" there are many, but there is one missing and it is the one I just created. I have added that as an authoritative and set it as default.

The SSL cert installed already includes the new FQDN that I have created.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430944
Just was looking over your originally post. Are you in a multi-tenant model?
0
 

Author Comment

by:aando
ID: 40430945
I'm not sure of what you mean by multi-tenant. We have 2 exchange servers with one CAS on the main exchange server serving multiple different clients. Of which, all have their own OWA address that is still working externally.
0
 

Author Comment

by:aando
ID: 40430951
Update! It seems that the original issue with the cert pop-up has been fixed by following your guide. I'm still not sure why i can't reach OWA by using the new domain name but it's not very relevant as none of our clients will be connecting to OWA using that address.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430955
From your definition it sounds like you are multi-tenant. I assume by "clients" you mean customers and not types of software. So, to confirm you host multiple customers in your Exchange environment. Just making sure.

Unfortunately, my article isn't really catered towards multi-tenancy. What names were on the old certificate? Did it have any external names on it? Besides the .locals? Normally in multi-tenancy you have one generic URL that is used for autodiscover, etc.
0
 

Author Comment

by:aando
ID: 40430960
Yes, multiple customers. The old certificate only had two .local names, the server name and the local domain. all the others were external names. The cert only has one url for autodiscover,  autodiscover.aandocomputer.com.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430965
What FQDN did you end up configuring for the Exchange URLs? I am assuming it was something.aandocomputer.com? Which also existed on the certificate?
0
 

Author Comment

by:aando
ID: 40430974
Yes, I ended up using a aandocomputer.com FQDN that already existed on the cert but wasn't being used yet. So far everything seems to be working correctly. Thanks for all the help!
0
 

Author Closing Comment

by:aando
ID: 40430975
Great guide!
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40430983
Awesome.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question