Exchange Sever 2013 - New install

Background History - I'ma low little teccie and treading water here........

We had several servers running windows 2003 and Exchange 2003.......

I decided to build a new domain(server 2012) with a clean install of exchange 2013 and have a roll back plan if things didn't work........

I have a SSL123 cert from Thawte

with a single domain registered and applied to my server facing the internet - lets say the domain is

I am getting the dreaded issues with outlook complaining about invalid certs.... External access via OWA not an issue and autodiscover seems to be working fine when I do the test here:

I have created a srv record on my external DNS to allow the above to work.

I DO NOT have access (firewall restrictions) to access from within the internal network but I can browse to https://internal_Ip_of_EX01/owa (I get a cert issue as this does not match the address on my cert)

Questions: Do I really need to add to the cert or can I manipulate the DNS somehow to remove these certificate issues from Outlook.

Any step by step instructions would be appreciated as I feel out of my depth here.


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior EngineerCommented:
Well first of all as soon as you start the Exchange 2013 installation and Exchange 2003 is detected the install will stop.  Exchange 2013 CANNOT co-exist with Exchange 2003.

You need to do a double-hop migration.  Either migrate to Exchange 2007 or 2010.  2010 would be better.   Then once that migration is complete, decommission Exchange 2003.  Once Exchange 2003 is gone, then you can install Exchange 2013 and complete your migration.

Yes, you really need to add to the cert.

For step-by-step instructions do a Google search on "migrating Exchange 2003 to Exchange 2010", then "migrating Exchange 2010 to Exchange 2013".
ChoakemAuthor Commented:
Sorry, I wasn't clear....

The new server 2012 domain servers and the new Exchange server on a new isolated network.

I only have 20 ish accounts and I have exported the old PST files from exchange 2003 and imported them into exchange 2013.

I suppose for all intents and purposes we can assume this is a new clean setup and ignore all references to the old server 2003 and old exchange server.

Can I remove the invalid cert errors without changing my external cert (my cert does not allow more than one address) which


Scott CSenior EngineerCommented:
I think you should get a new cert that allows more than one address.  I had a new install done by another engineer and they had a cert with just the and we could never get it working until we added to the cert.

Once we upgraded the cert to multiple addresses, it started working fine.

Someone on here might be able to guide you on how to "fudge" it, but that is something I don't know how to do.

Here is an example of the cert request I recently did for another company.

New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=US, l=City, s=State,," -domainname,,,,, -PrivateKeyExportable $true -path c:\certrequest.txt

This went without a hitch.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ChoakemAuthor Commented:
I'm off for the weekend (YAYYYYYYYYYYYY)

and for the moment they can live with the invalid certs........

Hopefully someone may know how to fudge it.

Is it necessary that my internal domain can access either or both   or from within the internal network or do I require firewall changes on top?
Scott CSenior EngineerCommented:
Yes, you want your internal domain to be able to access both.
ChoakemAuthor Commented:
Thx ScottCha - An reason why the old Exchange server did not require this? There has been no change on the internal firewalls............
Jeff GloverSr. Systems AdministratorCommented:
2003 did not do Autodiscover
ChoakemAuthor Commented:
I guess my ultimate question here - MUST I get a new cert or can I fudge it?

Thanks for all your help....

Jeff GloverSr. Systems AdministratorCommented:
Since you say you cannot access from  the internal network, I assume you do not have Split Brain DNS. Are your internal and external domain names the same or different? If the same, add a record for mail to the internal domain. If different, add a Forward lookup zone for your external domain to your internal DNS. Make sure if you have external Websites and such, you add the external addresses to the internal zone or else your users will not be able to see them. You can try to add an SRV record to that zone and see if it works. I have never tried it and I give it a 50/50 chance.  Otherwise, yes you need a new Cert and it needs to have Autodiscover. Also, if you ever plan to use Lync or Skype for Business server, it should not be a Wildcard.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChoakemAuthor Commented:
"If different, add a Forward lookup zone for your external domain to your internal DNS"

That did the trick - many thanks...........
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.