Exchange 2013 Certificate Issue?

I have an Exchange 2007 server that's been running for several years.  It has a purchased SSL certificate.  I recently installed an Exchange 2013 Server and moved one mailbox to it.  It was working fine for that one mailbox for both OWA and Outlook 2010.

I tried exporting the SSL certificate from the 2007 and import into the 2013.  That process failed as it shows no name with an Invalid status. This probably failed because I don't recall setting FQDN name on the 2013 server when installing so it probably doesn't match the certificate so I deleted it.  

Now when I open Outlook 2010, I get error:  "There is a problem with the proxy server's security certificate.  The security certificate is not from a trusted certifying authority.  Outlook is unable to connect to the proxy server InternalServerNameHere (error code 8)."  

If I look at my Outlook Account settings, for servname it has a very long line of letters and numbers with @MyInternetDomainName.  It doesn't have the actual internal server name as it did when mailbox was on my 2007 server.

Is there some way of fixing this without restoring from a backup?  I can access that mailbox from OWA but not Outlook.  Also, it will not let me move that mailbox back to my 2007 Server.  Thanks!
sfsdtcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You do not need to have the internal server name on the certificate for it to work.

All you need to do is have the following on the cert..
mail.domain.com
autodiscover.domain.com

Thats it. From there you would then set your virtual directories to https://mail.domain.com/... for INTERNAL and EXTERNAL.

In order to do this correctly you also need to configure split DNS as well.

I have created a complete HowTo to set this up properly.  Check out the links below on my site.

Certificate/Importing Certificate
http://www.wsit.ca/how-tos/exchange-server-2/exchange-2013-certificate-generation-csr-import-enable-exchange-certificate/

Configure Split DNS and Virtual Directories
http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/

As for your certificate on Exchange 2007, if it has mail.domain.com and autodiscover.domain.com exporting it and importing it into the Exchange 2013 server should be no issue. Make sure that when you export the cert from Exchange 2007 you export the private key along with all properties.

Will.
0
sfsdtcAuthor Commented:
Thanks, I look into that.  Do I need to somehow change my Exchange 2013 server so it also shows mail.domain somewhere?  Can I resolve the Outlook 2010 issue without getting another certificate?
0
Will SzymkowskiSenior Solution ArchitectCommented:
You are getting the certificate error because your virtual directories do not match the names on your certificate for Exchange 2013. So you need to configure split dns so that you can use the external name internally.

Outlined in my HowTo.

Will.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

sfsdtcAuthor Commented:
If I read that document correctly, I need to have two DNS entries for mail.whatever (one for each server) and two DNS entries for autodiscover.whatever (one for each server) so that both mail.whatever and discover.whatever both point to the two Exchange servers?
0
Will SzymkowskiSenior Solution ArchitectCommented:
No...All you need to do create a new AD Integrated Zone for externaldomain.com.

In that new Zone you create 1 A record for mail.domain.com (pointing to the IP of your CAS server or Load Balancer IP)  and 1 cname record for autodiscover.domain.com pointing to mail.domain.com.

You then re-configure your internal virtual directories like the below example...

INTERNAL URL's
before = https://servername.domain.com/owa /oab etc

after = https://mail.domain.com/owa /oab etc

Internal should now be the same at external URL's.

Will.
0
sfsdtcAuthor Commented:
Sorry, didn't read document careful enough.  Looks like I should have two DNS entries (one for each server IP) that point to mail.whatever.  The Autodiscover is an alias to mail.whatever.  If I do this, how does it know which mail.whatever gets associated with the autodiscover alias?
0
Will SzymkowskiSenior Solution ArchitectCommented:
you create ONE mail.domain.com A record and point it to your CAS server. If you only have 1 CAS server then point mail.domain.com to the interal IP of your CAS server. If you have multiple CAS servers in your AD Site then point mail.domain.com = load balancer IP

Create another record CNAME pointing to mail.domain.com.

That's it.

Will.
0
sfsdtcAuthor Commented:
Are there mstakes in the document?  On the AutodDiscover one it says Uri instead of Url.  Should it be Url instead?
0
sfsdtcAuthor Commented:
I don't have any load balancers.  I just have the existing 2007 Exchange server and the new 2013 Exchange server.  I want them to coexist while I test the new one before migrating all mailboxes to the 2013 then removing the 2007 one.
0
Will SzymkowskiSenior Solution ArchitectCommented:
ok..so for what all you need to do is steup the mail.domain.com to point to the CAS server for Exchange 2013. It will the re-direct or proxy connections to Exchange 2007 if the mailbox resides on there.

You do not create 2 entries for 2007 and 2013. Just 2013 is required.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sfsdtcAuthor Commented:
When I tried to do the Set-MapiVirtualDirectory, it came back with prompts for IISAuthenticationMethods[0].
0
Will SzymkowskiSenior Solution ArchitectCommented:
Put in the type of authentication you want to use. You are also not absolutely required to use the last cmdlet.

Will.
0
sfsdtcAuthor Commented:
Should      Set-ClientAccessServer -Identity "Servername -AutoDiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml       be -AutoDiscoverServiceInternal Url instead of Uri?
0
Will SzymkowskiSenior Solution ArchitectCommented:
It should be Uri

You need to only set this on the Exchange 2013 server. It is not recommended/required to have multiple SCP (service connection points) for autodiscover. So if you have this setup on your Exchange 2007 sever remove this setting after you have configured it on Exchange 2013.

You can also check that is it correct using the following command...

Get-ClientAccessServer -Identity Servername | fl Auto*

Will.
0
sfsdtcAuthor Commented:
Since I might have to uninstall then install my Exchange 2013 Server, how do I remove the autodiscovery from it so that my Exchange 2007 controls that for now?
0
sfsdtcAuthor Commented:
Thanks so much for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.