Exchange 2010 Local Host Certification

I know this is a big topic right now and I haven't found a fix that works yet.   All my users are getting Local Cert errors when going into Outlook, because I am not able to get the local domain name certified by GoDaddy like in the past, due to the new restrictions.  

Rebuilding the domain is not an option for me right now.  I have tried to rename the server my .com name, but Outlook was still trying to connect to the internal no matter what I did.  

I have also tried to create a local cert to no avail.  The new Cert appears to go thru ok and says is it is signed, but the name on the Cert disappears and it doesn't seem to work.

I am not sure what else I can try.

Any ideas or help would be greatly appreciated.
eli290Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You need to
- Configure your local DNS to resolve to the Exchange server's internal IP (e.g. mail.domain.com -> 10.0.0.15)
- configure the internal URLs to match the External URLs on the CAS role (e.g. the internal URL for OWA would be https://mail.domain.com/owa)

Here's a script that will take care of the Exchange configuration. Run it from EMS. Just enter the external URL and it will configure all the internal URLs (e.g. enter https://mail.domain.com)

$urlpath = Read-Host "Type internal Client Access FQDN starting with http:// or https://" 

Get-ClientAccessServer –Identity * | Set-ClientAccessServer –AutodiscoverServiceInternalUri "$urlpath/autodiscover/autodiscover.xml"
Set-webservicesvirtualdirectory –Identity * –internalurl "$urlpath/ews/exchange.asmx"
Set-oabvirtualdirectory –Identity * –internalurl "$urlpath/oab"
Set-owavirtualdirectory –Identity * –internalurl "$urlpath/owa"
Set-ecpvirtualdirectory –Identity * –internalurl "$urlpath/ecp"
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "$urlpath/Microsoft-Server-ActiveSync"

Open in new window

eli290Author Commented:
Thanks for the feedback
I did try this, but then Outlook crashed because all were set up to go to the local domain name server.  

exchange.local.pri

I tried to reset my Outlook and it kept trying to pull the Local even though I had removed Autodiscover.local.pri from DNS...

Was there maybe something I was missing there?  Or will I still need to hit every PC?
Thank you
David Johnson, CD, MVPOwnerCommented:
Certification Authorities stared warning people about this 4 years ago, so you had lots of warning. Exchange is quite happy to use a different address than your lan i.e. mydomain.guru (public) and corp.mydomain.local (internal)
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I did try this, but then Outlook crashed because all were set up to go to the local domain name server.
The first and crucial step is to create the public DNS name in your internal DNS server and point it to your Exchange server. Then you can change the URLs.

I tried to reset my Outlook and it kept trying to pull the Local even though I had removed Autodiscover.local.pri from DNS...
This is because Outlook is pulling the info from AD. You only need the autodiscover record for non-domain joined devices or where the domain is not reachable. The Set-ClientAccessServer –AutodiscoverServiceInternalUri is what configures Active Directory's autodiscover settings that Outlook gets.
David Johnson, CD, MVPOwnerCommented:
did you restart your CAS  did you add a proper autodiscover in your dns? if managed externally it may take time to propagate check your TTL settings..
eli290Author Commented:
I have the DNS set up and will be making the name change on the Exchange server tomorrow.  Thanks for all the assistance...
eli290Author Commented:
I created the DNS Forward Lookup, for my external.com.  I then added A records for EXCHANGE and AutoDiscover to point to my internal IP Address.  Added a CNAME in my Internl.local zone to point to AutoDiscover.external.com and added A Record in .external.com for AutoDiscover.  

When I ping EXCHANGE.external.com, it resolves to my internal IP address.  
When I ping AutoDiscover, it resolves to AutoDiscover.external.com and back to my internal IP address for Mail Server

Made the above changes on the exchange server, but Outlook PCs is still pointing to exchange.internal.local and I am still getting the Cert error.  Never knocked Outlook offline like it did the last time I tried to change the Identities on the Exchange server.

I have booted both the Exchange Server and DNS Server since making the changes.  I have also reconfigured Outlook on my machine, but it still resolves back to Exchange.internal.local

Totally stumped...What could I have missed??
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I have booted both the Exchange Server and DNS Server since making the changes.  I have also reconfigured Outlook on my machine, but it still resolves back to Exchange.internal.local

This is most likely your autodiscover URI is not configured properly. You need to run this command from the Exchange Management Shell:
Get-ClientAccessServer –Identity * | Set-ClientAccessServer –AutodiscoverServiceInternalUri "https://exchange.external.com/autodiscover/autodiscover.xml"

Open in new window

Change the exchange.external.com portion to the proper FQDN and run that in EMS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.