none
Exchange Server Affected by SSL Certificate Organization Name Change RRS feed

  • Question

  • We recently underwent a name change of our company. We added a few new domain names for the new company to our Exchange Server 2007 and updated our address policy to include them and everything seemed to work okay for a while.  We subsequently reissued the SSL Certificate for our Exchange Server under the new organization name (per the CA's recommendation) .  Shortly thereafter we experienced all sorts of issues necessitating a rebuild of our Exchange Server.  Is there any dependency between the organization name in an SSL certificate and the organization name that Exchange Server stores it's info under in Active Directory (which still had the old name) that would cause Exchange to go haywire?
    Friday, January 16, 2015 2:39 PM

All replies

  • Where are you having connectivity issues?  Yes, changing a certificate can do this, especially when you change the names on the certificate.

    Make sure that Set-OutlookProvider -Identity EXPR -CertPrincipalName is set to the CN of your certificate.

    Make sure that all URLs in all your virtual directories have hostnames that are in your certificate.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, January 16, 2015 5:09 PM
    Moderator
  • All of our user mailboxes went into Disconnected Mailbox in Exchange and we could not reconnect them to the user accounts they belonged to as no domain user's would show up to choose from when we tried to reconnect them. 
    Friday, January 16, 2015 5:23 PM
  • Is this your production environment (as I think it is)?

    How many mailboxes are affected? All?

    Is your company able to function (as far as email is concerned)?

    A problem with certficates would usually affect client access to mailboxes via OWA or ActiveSync.

    I would tend to think that mailboxes being suddenly disconnected from their corresponding user account, and not being able to see those user accounts from Exchange, would suggest a bigger problem than just certificate names.

    It's not clear to me (at least) what the possible relationships of cause and effect are, since so many things have happened: additional domain names added, new certificate issued, "all sorts of issues" leading to an Exchange server rebuild, and now all (?) mailboxes disconnected and an apparent inability to query for the corresponding user accounts in Active Directory.

    Based on your responses to my questions above, this might be a case where consulting Microsoft directly may be the best option, rather than attempting to fix this post by post on TechNet.

    For example, it's the weekend and nearly 24 hours have passed since your last post.

    One thing you could do is run the Exchange Best Practices Analyzer to see what configuration issues are flagged.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Saturday, January 17, 2015 3:46 PM
  • You didn't describe how you did a "rebuild" but that was probably not a good idea.  I would have recommended building a new server and moving all the services to it.  I recommend you open a ticket with Microsoft Support because your problem appears to be well beyond what we can help you fix in a timely manner.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    Sunday, January 18, 2015 5:22 AM
    Moderator
  • We rebuilt the same server from scratch...new OS and Exchange install but used the same server name which in hindsight we should probably not have done...following getting everything up we still had mailbox connectivity issues.  Most (but not all) user mailboxes did not have the proper Exchange permissions.  We basically had to update user account permissions in AD to get them working again.
    Monday, January 19, 2015 2:22 AM
  • Thanks, David...we had gotten our E-mail back up and running again prior to my original post...I was doing a post-mortem on the incident and couldn't make a determination as to what actually caused our problem...normally simply adding a couple of domain names to Exchange is no big deal (this change was made a good 2 weeks before we started having issues) but doing it in conjunction with our organization name change and associated SSL certificate reissue all at relatively the same time  made me wonder if there was any connection.  I just don't want to repeat the same mistake if the same set of circumstances arises in the future.
    Monday, January 19, 2015 2:31 AM
  • Hi,

    Please confirm you were creating a new domain in your AD or creating an accepted domain in Exchange server.

    If you directly create an accepted domain in Exchange, the new domain would be considered authoritative when the Exchange organization hosts mailboxes for recipients in this SMTP domain. We don’t need to create a new Exchange certificate for this new accepted domain because the SRV records can be used to connect to Autodiscover service. And the Exchange services URLs are not changed and they can still be authenticated by the original certificate (mail.domain.com, autodiscover.domain.com).

    Certainly, we can reissue a new Exchange certificate, please make sure the new Exchange certificate has included all needed namespaces for your Exchange server such as:

    Mail.domain.com, autodiscover.domain.com, autodiscover.newdomain.com

    We can also run Get-ExchangeCertificate | fl to check it.

    Regards,


    Winnie Liang
    TechNet Community Support

    Monday, January 19, 2015 11:31 AM
    Moderator
  • We were creating an additional accepted domain in Exchange server.  The reason we had to create a new Exchange certificate is that the legal name of our organization had changed.  The CA had us reissue our SSL certificate since our old name was no longer valid (ie.. our O= had changed).  We did not change our organization name, however, in Active Directory, which we theorized is what caused some of our problems.
    Monday, January 19, 2015 4:23 PM