Avatar of aando
aando
 asked on

How to re-configure exchange to use FQDN instead of local hostname

I went to renew my UCC SSL cert and come to find out that I can no longer use the local host name of my exchange server. I have removed the local host name from the cert and now I'm getting the "Server doesn't match the names on the certificate pop-up" I have multiple names on this certificate in order to provide mail to multiple clients. Of course, all of the clients are getting the cert pop-up. I know that the steps I need to take are the following:

1. Change the local hostname of the exchange server to a FQDN. I can see multiple places where the local hostname is located in Exchange that will need to be changed to the new FQDN.

2. Add the new FQDN to SSL.

3. Install new cert.

4. Move on to the next problem.

However, I seem to be getting stuck on the FQDN part. Do I need to have a purchase a domain for this? If so, I already have one purchased that could be used. Once I settle on the new FQDN and thusly change it in Exchange will there be anything else that will need changing, I.E. DNS entries on the DC, DNS records of the domain (A records), etc.

By following the resources I have found they say to simply change the internal URL's to the external URL's and this is where I run into an issue. There are no external URL's on this Exchange server, only internal URL's

Current Exchange server name:

testex5.aandocomputer.local     (this is an example)

Localhost names that were removed:

testex5.aandocomputer.local
aandocomputer.local

Proposed FQDN: testex5.aandocomputer.com    (this is an example)

Current SSL domains:

mail.exchangeclient1.com
mail.exchangeclient2.com
mail.exchangeclient3.com
mail.exchangeclient4.com
mail.exchangeclient5.com
aandocomputer.com
autodiscover.aandocomputer.com

Resources I have used:

http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/

https://support.godaddy.com/help/article/6281/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name

http://exchangekb.com/tag/invalid-fully-qualified-domain-name-such-as-local/
Windows Server 2008ExchangeSSL / HTTPS

Avatar of undefined
Last Comment
Gareth Gudger

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Gareth Gudger

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Carol Chisholm

If I understand correctly your problem is mainly with client access. This is done via internal (for LAN) virtual directories and external (WAN) virtual directories in Exchange 2010 and 2013.

For the Exchange server you can't change the name, what you can do is change the name it presents internally and externally. (Can be different) and you will want to make sure the SMTP is correctly configured to match your reverse DNS too.

Here is a general article on your problem:
http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Here is one about manually renaming the Virtual Directories
http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
http://dougg.co.nz/2013/02/26/set-the-exchange-2010-virtual-directory-namespaces/

Here are some scripts that help to do this in a more automatic way
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
http://msunified.net/2010/05/07/script-for-configuring-exchange-2010-internal-and-external-urls/
aando

ASKER
Update! I followed your guide Gareth and everything was going smoothly until I checked the external access to OWA. It doesn't seem to be resolving. It does function properly internally. I have the new FQDN pointed to a public IP that is NAT'd to the internal IP of the exchange server. OWA was resolving externally with the new FQDN before I made all the changes to exchange. Outlook clients (internal and external) will not connect to the server using the new FQDN for the server. Would I still need to use the old server name in outlook?

As for the "accepted domains" there are many, but there is one missing and it is the one I just created. I have added that as an authoritative and set it as default.

The SSL cert installed already includes the new FQDN that I have created.
Gareth Gudger

Just was looking over your originally post. Are you in a multi-tenant model?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
aando

ASKER
I'm not sure of what you mean by multi-tenant. We have 2 exchange servers with one CAS on the main exchange server serving multiple different clients. Of which, all have their own OWA address that is still working externally.
aando

ASKER
Update! It seems that the original issue with the cert pop-up has been fixed by following your guide. I'm still not sure why i can't reach OWA by using the new domain name but it's not very relevant as none of our clients will be connecting to OWA using that address.
Gareth Gudger

From your definition it sounds like you are multi-tenant. I assume by "clients" you mean customers and not types of software. So, to confirm you host multiple customers in your Exchange environment. Just making sure.

Unfortunately, my article isn't really catered towards multi-tenancy. What names were on the old certificate? Did it have any external names on it? Besides the .locals? Normally in multi-tenancy you have one generic URL that is used for autodiscover, etc.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
aando

ASKER
Yes, multiple customers. The old certificate only had two .local names, the server name and the local domain. all the others were external names. The cert only has one url for autodiscover,  autodiscover.aandocomputer.com.
Gareth Gudger

What FQDN did you end up configuring for the Exchange URLs? I am assuming it was something.aandocomputer.com? Which also existed on the certificate?
aando

ASKER
Yes, I ended up using a aandocomputer.com FQDN that already existed on the cert but wasn't being used yet. So far everything seems to be working correctly. Thanks for all the help!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
aando

ASKER
Great guide!
Gareth Gudger

Awesome.