aando
asked on
How to re-configure exchange to use FQDN instead of local hostname
I went to renew my UCC SSL cert and come to find out that I can no longer use the local host name of my exchange server. I have removed the local host name from the cert and now I'm getting the "Server doesn't match the names on the certificate pop-up" I have multiple names on this certificate in order to provide mail to multiple clients. Of course, all of the clients are getting the cert pop-up. I know that the steps I need to take are the following:
1. Change the local hostname of the exchange server to a FQDN. I can see multiple places where the local hostname is located in Exchange that will need to be changed to the new FQDN.
2. Add the new FQDN to SSL.
3. Install new cert.
4. Move on to the next problem.
However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.
By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's
Current Exchange server name:
testex5.aandocomputer.loca l (this is an example)
Localhost names that were removed:
testex5.aandocomputer.loca l
aandocomputer.local
Proposed FQDN: testex5.aandocomputer.com (this is an example)
Current SSL domains:
mail.exchangeclient1.com
mail.exchangeclient2.com
mail.exchangeclient3.com
mail.exchangeclient4.com
mail.exchangeclient5.com
aandocomputer.com
autodiscover.aandocomputer .com
Resources I have used:
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
https://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name
http://exchangekb.com/tag/invalid-fully-qualified-domain-name-such-as-local/
1. Change the local hostname of the exchange server to a FQDN. I can see multiple places where the local hostname is located in Exchange that will need to be changed to the new FQDN.
2. Add the new FQDN to SSL.
3. Install new cert.
4. Move on to the next problem.
However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.
By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's
Current Exchange server name:
testex5.aandocomputer.loca
Localhost names that were removed:
testex5.aandocomputer.loca
aandocomputer.local
Proposed FQDN: testex5.aandocomputer.com (this is an example)
Current SSL domains:
mail.exchangeclient1.com
mail.exchangeclient2.com
mail.exchangeclient3.com
mail.exchangeclient4.com
mail.exchangeclient5.com
aandocomputer.com
autodiscover.aandocomputer
Resources I have used:
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
https://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name
http://exchangekb.com/tag/invalid-fully-qualified-domain-name-such-as-local/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Update! I followed your guide Gareth and everything was going smoothly until I checked the external access to OWA. It doesn't seem to be resolving. It does function properly internally. I have the new FQDN pointed to a public IP that is NAT'd to the internal IP of the exchange server. OWA was resolving externally with the new FQDN before I made all the changes to exchange. Outlook clients (internal and external) will not connect to the server using the new FQDN for the server. Would I still need to use the old server name in outlook?
As for the "accepted domains" there are many, but there is one missing and it is the one I just created. I have added that as an authoritative and set it as default.
The SSL cert installed already includes the new FQDN that I have created.
As for the "accepted domains" there are many, but there is one missing and it is the one I just created. I have added that as an authoritative and set it as default.
The SSL cert installed already includes the new FQDN that I have created.
Just was looking over your originally post. Are you in a multi-tenant model?
ASKER
I'm not sure of what you mean by multi-tenant. We have 2 exchange servers with one CAS on the main exchange server serving multiple different clients. Of which, all have their own OWA address that is still working externally.
ASKER
Update! It seems that the original issue with the cert pop-up has been fixed by following your guide. I'm still not sure why i can't reach OWA by using the new domain name but it's not very relevant as none of our clients will be connecting to OWA using that address.
From your definition it sounds like you are multi-tenant. I assume by "clients" you mean customers and not types of software. So, to confirm you host multiple customers in your Exchange environment. Just making sure.
Unfortunately, my article isn't really catered towards multi-tenancy. What names were on the old certificate? Did it have any external names on it? Besides the .locals? Normally in multi-tenancy you have one generic URL that is used for autodiscover, etc.
Unfortunately, my article isn't really catered towards multi-tenancy. What names were on the old certificate? Did it have any external names on it? Besides the .locals? Normally in multi-tenancy you have one generic URL that is used for autodiscover, etc.
ASKER
Yes, multiple customers. The old certificate only had two .local names, the server name and the local domain. all the others were external names. The cert only has one url for autodiscover, autodiscover.aandocomputer .com.
What FQDN did you end up configuring for the Exchange URLs? I am assuming it was something.aandocomputer.co m? Which also existed on the certificate?
ASKER
Yes, I ended up using a aandocomputer.com FQDN that already existed on the cert but wasn't being used yet. So far everything seems to be working correctly. Thanks for all the help!
ASKER
Great guide!
Awesome.
For the Exchange server you can't change the name, what you can do is change the name it presents internally and externally. (Can be different) and you will want to make sure the SMTP is correctly configured to match your reverse DNS too.
Here is a general article on your problem:
http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/
Here is one about manually renaming the Virtual Directories
http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
http://dougg.co.nz/2013/02/26/set-the-exchange-2010-virtual-directory-namespaces/
Here are some scripts that help to do this in a more automatic way
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
http://msunified.net/2010/05/07/script-for-configuring-exchange-2010-internal-and-external-urls/