Michael Smith
asked on
Exchange Sever 2013 - New install
Background History - I'ma low little teccie and treading water here........
We had several servers running windows 2003 and Exchange 2003.......
I decided to build a new domain(server 2012) with a clean install of exchange 2013 and have a roll back plan if things didn't work........
I have a SSL123 cert from Thawte
www.thawte.nl/en/products/ssl123+certificates/
with a single domain registered and applied to my server facing the internet - lets say the domain is mail.mydomain.com
I am getting the dreaded issues with outlook complaining about invalid certs.... External access via OWA not an issue and autodiscover seems to be working fine when I do the test here:
https://testconnectivity.microsoft.com
I have created a srv record on my external DNS to allow the above to work.
I DO NOT have access (firewall restrictions) to access mail.mydomain.com from within the internal network but I can browse to https://internal_Ip_of_EX01/owa (I get a cert issue as this does not match the address on my cert)
Questions: Do I really need to add autodiscover.mydomain.com to the cert or can I manipulate the DNS somehow to remove these certificate issues from Outlook.
Any step by step instructions would be appreciated as I feel out of my depth here.
Regards
Michael
We had several servers running windows 2003 and Exchange 2003.......
I decided to build a new domain(server 2012) with a clean install of exchange 2013 and have a roll back plan if things didn't work........
I have a SSL123 cert from Thawte
www.thawte.nl/en/products/ssl123+certificates/
with a single domain registered and applied to my server facing the internet - lets say the domain is mail.mydomain.com
I am getting the dreaded issues with outlook complaining about invalid certs.... External access via OWA not an issue and autodiscover seems to be working fine when I do the test here:
https://testconnectivity.microsoft.com
I have created a srv record on my external DNS to allow the above to work.
I DO NOT have access (firewall restrictions) to access mail.mydomain.com from within the internal network but I can browse to https://internal_Ip_of_EX01/owa (I get a cert issue as this does not match the address on my cert)
Questions: Do I really need to add autodiscover.mydomain.com to the cert or can I manipulate the DNS somehow to remove these certificate issues from Outlook.
Any step by step instructions would be appreciated as I feel out of my depth here.
Regards
Michael
ASKER
Sorry, I wasn't clear....
The new server 2012 domain servers and the new Exchange server on a new isolated network.
I only have 20 ish accounts and I have exported the old PST files from exchange 2003 and imported them into exchange 2013.
I suppose for all intents and purposes we can assume this is a new clean setup and ignore all references to the old server 2003 and old exchange server.
Can I remove the invalid cert errors without changing my external cert (my cert does not allow more than one address) which mail.mydomain.com
regards
Michael
The new server 2012 domain servers and the new Exchange server on a new isolated network.
I only have 20 ish accounts and I have exported the old PST files from exchange 2003 and imported them into exchange 2013.
I suppose for all intents and purposes we can assume this is a new clean setup and ignore all references to the old server 2003 and old exchange server.
Can I remove the invalid cert errors without changing my external cert (my cert does not allow more than one address) which mail.mydomain.com
regards
Michael
I think you should get a new cert that allows more than one address. I had a new install done by another engineer and they had a cert with just the mail.mydomain.com and we could never get it working until we added autodiscover.mydomain.com to the cert.
Once we upgraded the cert to multiple addresses, it started working fine.
Someone on here might be able to guide you on how to "fudge" it, but that is something I don't know how to do.
Here is an example of the cert request I recently did for another company.
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=US, l=City, s=State, o=company.com, cn=companysbs.server.compa ny.com" -domainname companysbs.server.company. com, mail.company.com, www.mail.company.com, remote.company.com, autodiscover.company.com, companySBS08.server.compan y.com -PrivateKeyExportable $true -path c:\certrequest.txt
This went without a hitch.
Once we upgraded the cert to multiple addresses, it started working fine.
Someone on here might be able to guide you on how to "fudge" it, but that is something I don't know how to do.
Here is an example of the cert request I recently did for another company.
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=US, l=City, s=State, o=company.com, cn=companysbs.server.compa
This went without a hitch.
ASKER
I'm off for the weekend (YAYYYYYYYYYYYY)
and for the moment they can live with the invalid certs........
Hopefully someone may know how to fudge it.
Is it necessary that my internal domain can access either or both
autodiscover.mydomain.com or mail.domain.com from within the internal network or do I require firewall changes on top?
and for the moment they can live with the invalid certs........
Hopefully someone may know how to fudge it.
Is it necessary that my internal domain can access either or both
autodiscover.mydomain.com or mail.domain.com from within the internal network or do I require firewall changes on top?
Yes, you want your internal domain to be able to access both.
ASKER
Thx ScottCha - An reason why the old Exchange server did not require this? There has been no change on the internal firewalls............
2003 did not do Autodiscover
ASKER
I guess my ultimate question here - MUST I get a new cert or can I fudge it?
Thanks for all your help....
Michael
Thanks for all your help....
Michael
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"If different, add a Forward lookup zone for your external domain to your internal DNS"
That did the trick - many thanks...........
That did the trick - many thanks...........
You need to do a double-hop migration. Either migrate to Exchange 2007 or 2010. 2010 would be better. Then once that migration is complete, decommission Exchange 2003. Once Exchange 2003 is gone, then you can install Exchange 2013 and complete your migration.
Yes, you really need to add autodiscover.mydomain.com to the cert.
For step-by-step instructions do a Google search on "migrating Exchange 2003 to Exchange 2010", then "migrating Exchange 2010 to Exchange 2013".