Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2010 change primary authoritative domain = SSL affects

Posted on 2015-01-05
7
Medium Priority
?
208 Views
Last Modified: 2015-01-08
I need to change the Authoritative SMTP to domain mydomain2.com (existing is mydomain1.com and will be kept as a secondary).  I am fine with the steps to do this in exchange 2010 however my confusion is with my current ssl certificate for mydomain1.com.  If I keep dns pointers (active sync and owa) as mail.mydomain1.com...

1.  will users till be able to access their mailboxes?
2.  do I need a second SSL cert to satisfy the mydomain2.com if users are still using the primary mail.mydomain2.com addresses to reach active sync / OWA
3.  If I use the mydomain1.com address for remote access...will I need to make IIS changes.

My goal was to implement the new mydomain2.com as the primary for immediate public visibility in regards to email reply to and then phase II the change of SSL cert and IIS (if needed).  Or am I being Naïve?

The server domain of internal.local remains the same.
0
Comment
Question by:pscanevit
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 40532849
you need 1 SAN certificate that covers multiple domain.

autodiscover.domain1.com
mail.domain1.com
autodiscover.domain2.com
mail.domain2.com

this way all of them will be covered nicely
0
 
LVL 65

Expert Comment

by:btan
ID: 40532872
Indeed as also stated to add in additional domain under step 6
http://technet.microsoft.com/en-SG/library/jj218640(v=exchg.150).aspx

you likely need to add new domain into the Accepted Domain list and under Email policy for the user to include this new domain (e.g. "Set to reply"). After updating the email for the users, you should be able to see their SMTP has these two domain accepted account.  
http://exchangeserverpro.com/change-business-email-domain/

Normally for the SSL, it is more of the services that will encounter issue such as certificate mismatch error. As stated below, this can include Autodiscover Service and/or Availability Service use the FQDN of the Exchange host in their URL (eg https://server.domain.local/AutoDiscover/AutoDiscover.xml) but the IIS instance has an SSL certificate that does not match that name.
http://exchangeserverpro.com/outlook-2007-clients-display-certificate-mismatch-error-after-mailbox-migration/

There is also shared SMTP Namespace for separate systems (one hold as authoritative while the other is non-authoritative)  that is more control required and doubt this is your use case eventually. There is mention below the need for working to either disable recipient filtering, configure the product to do LDAP queries against all directories that share the namespace, or create Contacts.
http://exchangeserverpro.com/how-to-share-an-email-domain-between-two-mail-systems/
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 1000 total points
ID: 40533351
Hello,

If you would like to continuing using mydomain1.com for all your Exchange URLs, you do not need to make any modifications to the SSL cert. All you would need to do is add an autodiscover SRV record to the mydomain2.com zone so that autodiscover clients are directed to the old URLs. The record would be in the following format:

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.mydomain1.com

Simply setup that SRV record then change your e-mail address policy so that mydomain2.com is the default. You will then need to apply the policy so that all your default addresses are changed on your mail-enabled objects.

-JJ
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:pscanevit
ID: 40533586
Thank you all.  Just to make sure, as I have conflicting information between Jamie and limjianan, I understand that if want to utilize mail.mydomain2.com as the URL (after I make it primary) I need to add to SSL.  However, I was hoping to attack this as phase II.  I am being pushed to change our public face in a hurry and am hoping that Jamie's answer will do the trick.  Make Mydomain2 the primary...leave the existing URL pointer / ssl cert in tack until I can replace the SSL to incorporate both domains.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40533606
That is correct. If you want to leave the URLs as-is, you can use the process I outlined. If you want to later change the URLs to use the new domain, you will need a new SSL cert with that domain.

-JJ
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 40534704
Agree with Jamie. You can check out this and it applies for Exchange 2010 as well. As long as SRV record points to the FQDN in the SSL certificate, it should work as in phase 1.
http://support.microsoft.com/kb/940881
But do note that the Autodiscover A record (if added) needs to point to FQDN in the certificate. In other words, if there is no Autodiscover A record, it did not then be restricted to the FQDN in the certificate.

On the side note, you may be interested in this short article if adding accepted domain is increasing and it take a balance of which option such as SAN or SRV or redirect will better scale moving forward.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-autodiscover-large-numbers-accepted-domains-part1.html
0
 

Author Closing Comment

by:pscanevit
ID: 40539090
thank you both for the great information...I not only have my current issue answered, but also a guide to new domain SSL.
Thank you!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question