Exchange Sever 2013 - New install

Background History - I'ma low little teccie and treading water here........

We had several servers running windows 2003 and Exchange 2003.......

I decided to build a new domain(server 2012) with a clean install of exchange 2013 and have a roll back plan if things didn't work........

I have a SSL123 cert from Thawte
www.thawte.nl/en/products/ssl123+certificates/

with a single domain registered and applied to my server facing the internet - lets say the domain is mail.mydomain.com

I am getting the dreaded issues with outlook complaining about invalid certs.... External access via OWA not an issue and autodiscover seems to be working fine when I do the test here:
https://testconnectivity.microsoft.com

I have created a srv record on my external DNS to allow the above to work.

I DO NOT have access (firewall restrictions) to access mail.mydomain.com from within the internal network but I can browse to https://internal_Ip_of_EX01/owa (I get a cert issue as this does not match the address on my cert)

Questions: Do I really need to add autodiscover.mydomain.com to the cert or can I manipulate the DNS somehow to remove these certificate issues from Outlook.

Any step by step instructions would be appreciated as I feel out of my depth here.

Regards

Michael
LVL 1
ChoakemAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior Systems EnginerCommented:
Well first of all as soon as you start the Exchange 2013 installation and Exchange 2003 is detected the install will stop.  Exchange 2013 CANNOT co-exist with Exchange 2003.

You need to do a double-hop migration.  Either migrate to Exchange 2007 or 2010.  2010 would be better.   Then once that migration is complete, decommission Exchange 2003.  Once Exchange 2003 is gone, then you can install Exchange 2013 and complete your migration.

Yes, you really need to add autodiscover.mydomain.com to the cert.

For step-by-step instructions do a Google search on "migrating Exchange 2003 to Exchange 2010", then "migrating Exchange 2010 to Exchange 2013".
0
ChoakemAuthor Commented:
Sorry, I wasn't clear....

The new server 2012 domain servers and the new Exchange server on a new isolated network.

I only have 20 ish accounts and I have exported the old PST files from exchange 2003 and imported them into exchange 2013.

I suppose for all intents and purposes we can assume this is a new clean setup and ignore all references to the old server 2003 and old exchange server.

Can I remove the invalid cert errors without changing my external cert (my cert does not allow more than one address) which mail.mydomain.com

regards

Michael
0
Scott CSenior Systems EnginerCommented:
I think you should get a new cert that allows more than one address.  I had a new install done by another engineer and they had a cert with just the mail.mydomain.com and we could never get it working until we added autodiscover.mydomain.com to the cert.

Once we upgraded the cert to multiple addresses, it started working fine.

Someone on here might be able to guide you on how to "fudge" it, but that is something I don't know how to do.

Here is an example of the cert request I recently did for another company.

New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=US, l=City, s=State, o=company.com, cn=companysbs.server.company.com" -domainname companysbs.server.company.com, mail.company.com, www.mail.company.com,  remote.company.com, autodiscover.company.com, companySBS08.server.company.com -PrivateKeyExportable $true -path c:\certrequest.txt

This went without a hitch.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

ChoakemAuthor Commented:
I'm off for the weekend (YAYYYYYYYYYYYY)

and for the moment they can live with the invalid certs........

Hopefully someone may know how to fudge it.

Is it necessary that my internal domain can access either or both

autodiscover.mydomain.com   or   mail.domain.com from within the internal network or do I require firewall changes on top?
0
Scott CSenior Systems EnginerCommented:
Yes, you want your internal domain to be able to access both.
1
ChoakemAuthor Commented:
Thx ScottCha - An reason why the old Exchange server did not require this? There has been no change on the internal firewalls............
0
Jeff GloverSr. Systems AdministratorCommented:
2003 did not do Autodiscover
0
ChoakemAuthor Commented:
I guess my ultimate question here - MUST I get a new cert or can I fudge it?

Thanks for all your help....

Michael
0
Jeff GloverSr. Systems AdministratorCommented:
Since you say you cannot access mail.mydomain.com from  the internal network, I assume you do not have Split Brain DNS. Are your internal and external domain names the same or different? If the same, add a record for mail to the internal domain. If different, add a Forward lookup zone for your external domain to your internal DNS. Make sure if you have external Websites and such, you add the external addresses to the internal zone or else your users will not be able to see them. You can try to add an SRV record to that zone and see if it works. I have never tried it and I give it a 50/50 chance.  Otherwise, yes you need a new Cert and it needs to have Autodiscover. Also, if you ever plan to use Lync or Skype for Business server, it should not be a Wildcard.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChoakemAuthor Commented:
"If different, add a Forward lookup zone for your external domain to your internal DNS"

That did the trick - many thanks...........
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.