Link to home
Start Free TrialLog in
Avatar of Rob Timmermans
Rob TimmermansFlag for United States of America

asked on

Reconfiguring Microsoft Exchange Server to Use a Fully Qualified Domain Name and adding a host record in the DNS to map the FQDN

I recently had to update my SSL certificate through GoDaddy.com but after doing so my user are getting a security alert.  I know this is for my .local SSL certificate.  I'm being told I need to reconfigure my Exchange Server 2010 to use a FQDN but the step they sent me are a little confusing plus I need to add a host A record in the DNS to map the FQDN.  My wemail is working with the new SSL because it already has a FQDN.

Do I need to create a new Forward Lookup Zone as a .org and then add the Host (A) record of the exchange servers IP address to that zone?
Will this mess with the DNS on my .local?

Instruction to resolve the FQDN issue, change the URLs for the appropriate Exchange 2007 or 2010 components. To do this, follow these steps:
Note This resolution has to be applied by an administrator. If you are not the administrator, contact your administrator.
1.      Start the Exchange Management Shell.

2.      Change the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To change this URL, type the following command, and then press Enter:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUrl
https://mail.contoso.com/autodiscover/autodiscover.xml
 
3.      Change the InternalUrl attribute of the EWS. To do this, type the following command, and then press Enter:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl
https://mail.contoso.com/ews/exchange.asmx

4.      Change the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press Enter:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl
https://mail.contoso.com/oab

5.      Change the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press Enter:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl
https://mail.contoso.com/unifiedmessaging/service.asmx

Note This command is required only in an  Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose. Therefore, if you are using Exchange 2010, you can skip this step, as the WebServices URL should have been changed in step 3.

6.      Open IIS Manager. For more information about how to do this, see How to: Open IIS Manager.

7.      Expand the local computer, and then expand Application Pools.

8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following: https://ServerName.contoso.com/ews/exchange.asmx
The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."  In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

I want to make this is correct and that it will not down my users.   Or could I just remove the local certificate from the exchange server, will this resolve the security alert?  What would be the best course of action for me to take?
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

You not only have to configure your virtual directories you also need to setup Split DNS on your internal DNS/DC servers. I have a complete HowTo on my site with all of the steps. See the link below...
http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/

You also need to make sure that you Enable the certificate on ALL of your CAS servers as well. Look at the Exchange HowTo as i have also illustrated how to do this.

Will.
Avatar of Rob Timmermans

ASKER

Will,

Your instructions are for Exchange 2013 are they the same for Exchange 2010?  How will this effect my current domain in a .local?

Rob
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial