locked
reconfigure exchange 2010 to use the FQDN RRS feed

  • Question

  • I have an exchange 2010 on server 2008 R2 I need to reconfigure Exchange 2010 to use FQDN so I can get rid of the popup that says my xyz.loc is not valid

    I have the new certificate installed and it seems fine send and receive mail outside the local network everything seems ok also it is just inside where I get the popup that tells me my xyz.loc is not trusted.

    If I can at least get pointed to the right direction that would be great some said self signed certificate but Im thinking exchange uses only one certificate. I have heard split dns so internal sees the external FQDN and directs it to the inside ip

    when I came across this I was thinking this would work but when I got to thinking about it my internal owa.xyz.org does not resolve internally so it couldn't work am sure I am overlooking something and I want to get it figured out before I make any changes so it works right aqway

    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

    EMC > Server Configuration > Client Access > OWA tab > OWA > Properties > 

    Change Internal URL from .local/owa to com/owa

    EPC tab > EPC > Properties >

    Change Internal URL from .local/epc to com/epc

    Exchange ActiveSync tab > Microsoft-Server-ActiveSync > Properties >

    Change Internal URL from .local/Microsoft-Server-ActiveSync to .com/Microsoft-Server-ActiveSync

    Recycled MSExchangeAutodiscoverAppPool and restart Outlook.

    /////////////////////////////////////////////////////////////////////////////////////


    John R

    Monday, May 18, 2015 7:00 PM

Answers

  • Hi John,

    Exchange allows you to configure both an internl and external URL for Exchange Client Access Servers, including OWA, ActiveSync, Outlook Anywhere and etc. It is up to you if you want to use .local for internal use and .com for external use. But it is a best-pratice to keep it consistent. By that I mean the following:

    • Make sure you have split-DNS configured. By hosting an internal DNZ zone for youcompany.com.
    • Create internal DNS-records for <hostname>.yourdomain.com that point to your internal Exchange Client Access Services.
    • Make sure your Exchange Client Access Servers have a valid SSL multiple-domain certificate that includes all the hostnames of the DNS-records you created.
    • Within Exchange link the SSL certificate to the right Exchange service.
    • Configure the internal and external URL's with the same hostnames (e.g. owa.yourdomain.com).


    Exchange Autodscover will then point you always to the same URL. But as you mentioned you have to have split-DNS (or a Proxy Server).

    As you may understand, it's quite a lot to explain everything in detail. But this information should help you get into the right direction. Hope this information is informative to you.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Monday, May 18, 2015 7:19 PM
  • Make sure you have split-DNS configured. By hosting an internal DNZ zone for youcompany.com

    I made a new zone xyz.org with an a record for owa.xyz.org and now the owa.xyz.org resolves to the internal address but the xyz.org does not resolve to the external address

    I'm thinking the zone should of been just .org or maybe a stub zone honestly I'm not sure? As soon as I get the DNS configured I can move on the the exchange external address matching the internal and it should be good.

    Thanks for the help


    John R

    THis is a pretty good resource on getting split-brained dns goign.

    http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part2.html


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    • Marked as answer by John Reedy Saturday, June 13, 2015 1:21 PM
    Tuesday, May 19, 2015 3:09 PM
  • Make sure you have split-DNS configured. By hosting an internal DNZ zone for youcompany.com

    I made a new zone xyz.org with an a record for owa.xyz.org and now the owa.xyz.org resolves to the internal address but the xyz.org does not resolve to the external address

    I'm thinking the zone should of been just .org or maybe a stub zone honestly I'm not sure? As soon as I get the DNS configured I can move on the the exchange external address matching the internal and it should be good.

    Thanks for the help


    John R

    • Marked as answer by John Reedy Saturday, June 13, 2015 1:21 PM
    Tuesday, May 19, 2015 1:17 PM

All replies

  • Hi John,

    Exchange allows you to configure both an internl and external URL for Exchange Client Access Servers, including OWA, ActiveSync, Outlook Anywhere and etc. It is up to you if you want to use .local for internal use and .com for external use. But it is a best-pratice to keep it consistent. By that I mean the following:

    • Make sure you have split-DNS configured. By hosting an internal DNZ zone for youcompany.com.
    • Create internal DNS-records for <hostname>.yourdomain.com that point to your internal Exchange Client Access Services.
    • Make sure your Exchange Client Access Servers have a valid SSL multiple-domain certificate that includes all the hostnames of the DNS-records you created.
    • Within Exchange link the SSL certificate to the right Exchange service.
    • Configure the internal and external URL's with the same hostnames (e.g. owa.yourdomain.com).


    Exchange Autodscover will then point you always to the same URL. But as you mentioned you have to have split-DNS (or a Proxy Server).

    As you may understand, it's quite a lot to explain everything in detail. But this information should help you get into the right direction. Hope this information is informative to you.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

    Monday, May 18, 2015 7:19 PM
  • Can you run Get-OutlookProvider?

    Also run Get-ClientAccessServer | FL Identity, *Autodiscover*

    and

    Get-OutlookAnywhere | fl servername, *hostname*


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, May 18, 2015 7:34 PM
  • Thanks for the help it is appreciated

    [PS] C:\Users\admin\Desktop>Get-OutlookProvider

    Name                          Server                        CertPrincipalName             TTL
    ----                          ------                        -----------------             ---
    EXCH                                                                                      1
    EXPR                                                                                      1
    WEB                                                                                       1


    [PS] C:\Users\admin\Desktop>Get-ClientAccessServer | FL Identity, *Autodiscover*


    Identity                       : AB-EXCH
    AutoDiscoverServiceCN          : ab-exch
    AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
    AutoDiscoverServiceInternalUri : https://ab-exch.XYZ.loc/Autodiscover/Autodiscover.xml
    AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
    AutoDiscoverSiteScope          : {Default-First-Site-Name}



    [PS] C:\Users\admin\Desktop>Get-OutlookAnywhere | fl servername, *hostname*


    ServerName       : ab-EXCH
    ExternalHostname : owa.XYZ.org


    John R

    Monday, May 18, 2015 8:15 PM
  • perfect. The autodiscoverinternaluri is the issue here.

    Does owa.xyz.org resolve to an internal address internally?

    If not, create a DNS Zone for owa.xyz.org with just an A record pointing to the exchange server.

    Once you do that you can run:

    Get-ClientAccessServer | Set-ClientAcessServer -AutodiscoverServiceUri https://owa.xyz.org/Autodiscover/Autodiscover.xml

     Give IIS a recycle and that should take care of it.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, May 18, 2015 8:30 PM
  • Make sure you have split-DNS configured. By hosting an internal DNZ zone for youcompany.com

    I made a new zone xyz.org with an a record for owa.xyz.org and now the owa.xyz.org resolves to the internal address but the xyz.org does not resolve to the external address

    I'm thinking the zone should of been just .org or maybe a stub zone honestly I'm not sure? As soon as I get the DNS configured I can move on the the exchange external address matching the internal and it should be good.

    Thanks for the help


    John R

    • Marked as answer by John Reedy Saturday, June 13, 2015 1:21 PM
    Tuesday, May 19, 2015 1:17 PM
  • Make sure you have split-DNS configured. By hosting an internal DNZ zone for youcompany.com

    I made a new zone xyz.org with an a record for owa.xyz.org and now the owa.xyz.org resolves to the internal address but the xyz.org does not resolve to the external address

    I'm thinking the zone should of been just .org or maybe a stub zone honestly I'm not sure? As soon as I get the DNS configured I can move on the the exchange external address matching the internal and it should be good.

    Thanks for the help


    John R

    THis is a pretty good resource on getting split-brained dns goign.

    http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part2.html


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    • Marked as answer by John Reedy Saturday, June 13, 2015 1:21 PM
    Tuesday, May 19, 2015 3:09 PM
  • Thanks for your help I am getting an error when I try to run this command

    Get-ClientAccessServer | Set-ClientAcessServer -AutodiscoverServiceUri https://owa.123.org/Autodiscover/Autodiscover.xml

    [PS] C:\Windows\system32>Get-ClientAccessServer | Set-ClientAcessServer -AutodiscoverServiceUri https://owa.123.org/Autodiscover/Autodiscover.xml
    The term 'Set-ClientAcessServer' is not recognized as the name of a cmdlet, function, script file, or operable program.
     Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:47
    + Get-ClientAccessServer | Set-ClientAcessServer <<<<  -AutodiscoverServiceUri https://owa.123.org/Autodiscover/Autodi
    scover.xml

        + CategoryInfo          : ObjectNotFound: (Set-ClientAcessServer:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

    [PS] C:\Windows\system32>

    I ran this command successfully

    Set-ClientAccessServer –AutodiscoverServiceInternalUrl -identity 123-exch
    https://owa.123.org/autodiscover/autodiscover.xml

    This AutoDiscoverServiceCN seems to be pointing to my .loc

    Now when I run this

    Get-ClientAccessServer | FL Identity, *Autodiscover*

    I get this
    Identity                       : 123-EXCH
    AutoDiscoverServiceCN          : 123-exch
    AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
    AutoDiscoverServiceInternalUri : https://owa.123.org/Autodiscover/Autodiscover.xml
    AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
    AutoDiscoverSiteScope          : {Default-First-Site-Name}

    Thanks in advance when I get it I will mark the answer so to help others I keep looking at it not wanting to ask thanks again


    John R


    • Edited by John Reedy Tuesday, June 9, 2015 5:39 PM
    Tuesday, June 9, 2015 5:37 PM