Renaming 2012 R2 Active Directory Domain with Exchange 2010

I have a simple environment. A Server 2012 R2 as a DC, and 2012 R2 running Exchange 2010. We recently had to renew our SSL cert. When I migrated this from an earlier 2003 AD I did not give any thought of moving from a .local to a .com domain.

Now we have run into the magical SSL Cert error when people open Outlook due to the whole SSL SAN issue.

I am thinking that renaming the domain to a .com suffix is probably easiest....

What considerations do I need to take into account with me Exchange server?
T-TekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
much easier to keep your .local domain and change your exchange config to use the .com by changing your autodiscover URLs and configuring split dns.  that way you don't have to change domain names internally

Configure Exchange Services for the Autodiscover Service
https://technet.microsoft.com/en-us/library/bb201695%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396

Windows - Setting Up Split DNS
http://www.petenetlive.com/KB/Article/0000830.htm
0
Cliff GaliherCommented:
You won't be renaming a domain with Exchange on it. The only way to have a different domain is a rather painful migration of user accounts to a new domain via ADMT and moving mailboxes to the new domain, and all the other fun ACL hassles associated with it.

Exchange fully supports running with a .local domain and has for many years. There is no reason your SSL certificate should have a .local name in it. This was *never* recommended as it opens you up to a MitM attack, but plenty of bad advice and tutorials exist so people invariably have done this despite it never being required.

If your exchange topology splits internal access servers from external access servers then you can use SSL certificates on your internal access servers signed by an internal CA and this will work just fine. The chain is trusted and since it is an internal CA, .local is perfectly acceptable.

The solution for your external access servers, or if you don't split the roles so internal and external is the same, is to change the URLs that are given to clients. This is usually done via Powershell you can set both the internal and external URLs used separately.  Once done, autodiscover will give out those URLs (even to internal clients) and the various exchange services will load and use an SSL certificate from the server's certificate store that has a subject name or subject alternate name that matches the FQDN in the URL. Which basically means if you set the internal and external URLs to "mail.company.com" and the certificate store has a certificate with a public and private key signed by a public CA with the name "mail.company.com" then the various associated Exchange Services (Autodiscover, OWA, EAS, EWS, SMTP, etc) can load and use that certificate, even though the server's actual name is "exchange.company.local" without any correlation to the external name.

It's really no different than hosting multiple SSL-secured sites in IIS. You can associate any certificate, and you've never had to have the machine name match the site name (or shared hosting providers would never be able to exist!)  Exchange has supported this configuration for the last 15 years or so, so it is well tested, works fine without prompts, warnings, or errors, and doesn't require a public certificate with a .local name.  Doing this (just a few powershell commands and buying a SAN cert without a .local name) is far easier than trying to migrate a domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
T-TekAuthor Commented:
Thank you for your quick responses. I utilized both of your solutions and issue resolved! Much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.