Change Exchange domain name

Dear Experts, we are having 1 Exchange Mail server and 1 AD server with domain:, with about 1000 users and 10 TB of mail data

Now we'd like to change the domain to:, and remain the same users' data

Is it possible? If so, how can we do it?

Many thanks!
DP230Network AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron GuilmetteTechnology Solutions ProfessionalCommented:
You can't change the Active Directory domain name once Exchange has been installed.  However, you can add an accepted domain and update the email address policies.

Accepted domains:

Email address policies:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DP230Network AdministratorAuthor Commented:
Hi Arron, yes i knew and already did it.

But as you may know, the SSL issue in MS Outlook appeared after configured Accepted domain:

So our users have 2 SMTP addresses: and, both can receive mails but outside can only see us as

The problem is if we can NOT purchase the multiple-domain wildcard SSL cert, what should we do to fix the SSL issue? We'd like to change the domain to completely.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
So, the problem you're actually facing is an Autodiscover problem.  Outlook clients will perform autodiscover using the SMTP suffix of the user's email address.  If you change UserA's primary SMTP address from to, the next time Outlook starts, it will attempt to look up a server name for  If you don't have a matching cert and still have an SCP record in AD, you'll get a cert warning.

The best solution will be to request a certificate to say:

And whatever other names you had on there.  For domain-joined machines, you could also configure an SRV record for  SRV records bypass cert errors. gives an example of configuring an autodiscover SRV record.  Queries outside your domain will still result in cert errors unless you configure external SRV records as well.

The overall best answer is to make sure your cert name holds an autodiscover record for all of the domains you answer for.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

DP230Network AdministratorAuthor Commented:
Yes you are right, we already configured the SRV in internal DNS (AD server) but did not know how to configure it in public DNS. Can you help?

" For domain-joined machines, you could also configure an SRV record for  SRV records bypass cert error"

But our DNS server also is AD server of the; and I don't think we can configure the SRV of here
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
That doesn't matter.  You need to create a new AD DNS zone for  You'll be adding _autodiscover._tcp to the new zone.  You'll keep the existing STV record for, since it's for the old domain.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
You may also want to look at suppressing the autodiscover warning messages, if the STV record or new very don't solve it.  This is how to do it for a single user; you can also deploy the settings via Group Policy Preferences.
DP230Network AdministratorAuthor Commented:
Hi, but how can I teach my Server to use the SRV record of when it is using DNS of

As my understanding, are you suggesting us to new AD DNS zone for in the same DNS server with If so, which type of zone should we choose?

DP230Network AdministratorAuthor Commented:
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Yes, that's correct for the zone.

The DNS record isn't "teaching the server."  It's so the server returns a valid response to the client.

Your Outlook clients are trying to find the answer to a lookup, "where do I go for"  Your environment responds, "here, try"

You need to give your environment a way to answer, "here, try this for"

I went through this process for about 200,000 mailboxes for 60 agencies at a state government last year. ;)
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
The redirect warning pop up sometimes happens when your autodiscover redirect happens from http to https. It probably won't fix this issue by itself, but it's useful if you certain other environmental variables.  I typically recommend it when you don't have a cert that matches the SMTP domains.
DP230Network AdministratorAuthor Commented:
Wow, 200000 mailboxes were a huge number :) but it did not work for me.

Which environment variable do I need to modify? I tried to import a cert of into Exchange server, then assign SMTP service to that new cert, but it did not work
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
You still probably should configure a DNS zone for, and configure an A record for to point to your Exchange server.

You probably should review how to configure Autodiscover:

In general:

- You should have a certificate applied to your Exchange server.  The certificate should have, at a minimum, a CN or SAN name entry for autodiscover for every domain that you have configured as a primary SMTP suffix.  If you have 500 domains (, but only and are used as primary SMTP address domains for your users, your certificate should have:

- The default lookup order for Autodiscover depends on your version of Outlook (you can read more at Rhoderick's blog: as well as the older Exchange 2010 whitepaper on how autodiscover works:

•SCP lookup
•HTTPS root domain query
•HTTPS Autodiscover domain query
•Local XML file
•HTTP redirect method
•SRV record query
•Cached URL in the Outlook profile (new for Outlook 2010 version 14.0.7140.5001 and later versions)
•Direct Connect to Office 365 (new for Outlook 2016 version 16.0.6741.2017 and later versions)

- SCP is configured by using Set-ClientAccessServer -AutodiscoverServiceInternalUri (

- Along with the certificate having the right names on it, you also need DNS zones to answer for those names.  If you have and being used as primary SMTP address suffixes for your users, *no matter what your Active Directory FQDN is,* you need DNS records for and  If your AD domain is domain.local, your AD DNS server will have 3 primary DNS zones configured: domain.local (which contains all of your servers and workstations that automatically register), and then and, which have been configured potentially with an A or CNAME record to > exchangeserver.domain.local and potentially an SRV record that points > exchangeserver.domain.local.

- You can control which methods get queried for Autodiscover by Outlook by modifying a series of registry keys (either individually or via Group Policy Objects / Group Policy Preferences):

- If you use a SRV record for autodiscover location, most cert errors will be ignored (such as if you had a certificate for and your Outlook clients are attempting to autoconfigure for, but in order for you to use the SRV record lookup method, you need to disable SCP lookup (either by disabling SCP in your forest via Set-ClientAccessServer -AutodiscoverInternalServiceUri $null or by disabling SCP via registry/group policy on workstations).

Before making changes to your environment, I would recommend going through all of the reading on how the server-side configurations for Autodiscover work (autodiscover internal and external URLs, SCP, SRV lookup, HTTPS redirect method) as well as how Outlook clients process autodiscover.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.