Link to home
Start Free TrialLog in
Avatar of Michael Smith
Michael SmithFlag for Ireland

asked on

Exchange Sever 2013 - New install

Background History - I'ma low little teccie and treading water here........

We had several servers running windows 2003 and Exchange 2003.......

I decided to build a new domain(server 2012) with a clean install of exchange 2013 and have a roll back plan if things didn't work........

I have a SSL123 cert from Thawte
www.thawte.nl/en/products/ssl123+certificates/

with a single domain registered and applied to my server facing the internet - lets say the domain is mail.mydomain.com

I am getting the dreaded issues with outlook complaining about invalid certs.... External access via OWA not an issue and autodiscover seems to be working fine when I do the test here:
https://testconnectivity.microsoft.com

I have created a srv record on my external DNS to allow the above to work.

I DO NOT have access (firewall restrictions) to access mail.mydomain.com from within the internal network but I can browse to https://internal_Ip_of_EX01/owa (I get a cert issue as this does not match the address on my cert)

Questions: Do I really need to add autodiscover.mydomain.com to the cert or can I manipulate the DNS somehow to remove these certificate issues from Outlook.

Any step by step instructions would be appreciated as I feel out of my depth here.

Regards

Michael
Avatar of Scott C
Scott C
Flag of United States of America image

Well first of all as soon as you start the Exchange 2013 installation and Exchange 2003 is detected the install will stop.  Exchange 2013 CANNOT co-exist with Exchange 2003.

You need to do a double-hop migration.  Either migrate to Exchange 2007 or 2010.  2010 would be better.   Then once that migration is complete, decommission Exchange 2003.  Once Exchange 2003 is gone, then you can install Exchange 2013 and complete your migration.

Yes, you really need to add autodiscover.mydomain.com to the cert.

For step-by-step instructions do a Google search on "migrating Exchange 2003 to Exchange 2010", then "migrating Exchange 2010 to Exchange 2013".
Avatar of Michael Smith

ASKER

Sorry, I wasn't clear....

The new server 2012 domain servers and the new Exchange server on a new isolated network.

I only have 20 ish accounts and I have exported the old PST files from exchange 2003 and imported them into exchange 2013.

I suppose for all intents and purposes we can assume this is a new clean setup and ignore all references to the old server 2003 and old exchange server.

Can I remove the invalid cert errors without changing my external cert (my cert does not allow more than one address) which mail.mydomain.com

regards

Michael
I think you should get a new cert that allows more than one address.  I had a new install done by another engineer and they had a cert with just the mail.mydomain.com and we could never get it working until we added autodiscover.mydomain.com to the cert.

Once we upgraded the cert to multiple addresses, it started working fine.

Someone on here might be able to guide you on how to "fudge" it, but that is something I don't know how to do.

Here is an example of the cert request I recently did for another company.

New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=US, l=City, s=State, o=company.com, cn=companysbs.server.company.com" -domainname companysbs.server.company.com, mail.company.com, www.mail.company.com,  remote.company.com, autodiscover.company.com, companySBS08.server.company.com -PrivateKeyExportable $true -path c:\certrequest.txt

This went without a hitch.
I'm off for the weekend (YAYYYYYYYYYYYY)

and for the moment they can live with the invalid certs........

Hopefully someone may know how to fudge it.

Is it necessary that my internal domain can access either or both

autodiscover.mydomain.com   or   mail.domain.com from within the internal network or do I require firewall changes on top?
Yes, you want your internal domain to be able to access both.
Thx ScottCha - An reason why the old Exchange server did not require this? There has been no change on the internal firewalls............
2003 did not do Autodiscover
I guess my ultimate question here - MUST I get a new cert or can I fudge it?

Thanks for all your help....

Michael
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"If different, add a Forward lookup zone for your external domain to your internal DNS"

That did the trick - many thanks...........