none
Exchange 2010 - AD and mail domains differents - SSL Certificate error RRS feed

  • Question

  • Hello,

    I had an Windows Server 2003/Exchange 2003 Server with a domain1.com as AD and mail domain.
    The customer company changed the name, i added a new mail domain in Exchange sevrer (domain2.com)
    I upgraded to Windows 2008/Exchange 2010.

    I used a Self-Signed certificate for this installation, recently, i ordered and installed a wildcard comodo certificate *.domain2.com as this is the internet domain used by the custromer, i affected this certificate to IIS and SMTP services.

    In the webmail, i did not get the security error any more. BUT, after few hours, the Outlook users called to tell us that they receive a security alerts on the Outlook. After a few searchs, i think the problem is that there is some flow exchanged between Outlook, AD and Exchange using the internal domain (domain1.com).

    I did a rollback to the Self-signed certificate until i find a solution.

    Do you have any idea about that issue? Any suggestion? 

    Regards.

    Thursday, February 2, 2017 10:19 PM

Answers

  • Hello,

    From your description, I suppose that it's an new accept domain in current Exchange environment and DNS network zone, then Outlook client remain get a certificate warning about previous name.

    Please double check the value for all Exchange services:
    Get-OutlookAnywhere | Select Server,InternalHostName,ExternalHostName
    Get-OWAVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-ECPVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-OABVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-WebServicesVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-ActiveSyncVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalUri
    Get-PowerShellVirtualDirectory | Select Server,InternalURL,ExternalURL
    If it remain point to previous namespace, change it to new one.
    Note to restart IIS by "IISRESET" if take any changes in VD.

    If the issue remain exists, please open Test E-mail AutoConfigration in problematic Outlook, then test the results with autodiscover.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 3, 2017 2:18 PM
    Moderator

All replies

  • So it's 2 separate domains have a 2 way trust? 

    Where is the mailbox residing? domain 1 or 2?

    How is Outlook connecting, domain 1 or 2?

    Friday, February 3, 2017 3:00 AM
  • Hello,

    From your description, I suppose that it's an new accept domain in current Exchange environment and DNS network zone, then Outlook client remain get a certificate warning about previous name.

    Please double check the value for all Exchange services:
    Get-OutlookAnywhere | Select Server,InternalHostName,ExternalHostName
    Get-OWAVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-ECPVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-OABVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-WebServicesVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-ActiveSyncVirtualDirectory | Select Server,InternalURL,ExternalURL
    Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalUri
    Get-PowerShellVirtualDirectory | Select Server,InternalURL,ExternalURL
    If it remain point to previous namespace, change it to new one.
    Note to restart IIS by "IISRESET" if take any changes in VD.

    If the issue remain exists, please open Test E-mail AutoConfigration in problematic Outlook, then test the results with autodiscover.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 3, 2017 2:18 PM
    Moderator
  • Hello,

    The domain 1 is my Active Directory Domain, it was also the SMTP domain.

    I added a new SMTP naming domain (domain2) and configured it as the principal SMTP domain.

    So actually, every mailbox have a main email address user@domain2.com, and a a second address user@domain1.com which is hiden for the end user. It's only a legacy address from the original domain name.

    The mailboxes resides on the same server.

    The email address used i Outlook is user@domain2.com.

    Hope i answred you question.

    Regards.

    Friday, February 3, 2017 2:33 PM
  • Hi,

    All internal URL use the old domain (servername.domain1.com), i think this is the cause of the problem.

    I'll add a new record Servername.domain2.com to domain2.com zone which point to the local server's ip address and then i'll change all internal URL to use servername.domain2.com.

    I think i have to wait for monday to do it so i can do tests with end users.

    I'll keep you posted.

    Regards.

    Friday, February 3, 2017 3:49 PM
  • The Active Directory domain and your Exchange e-mail domains do not have any relationship whatsoever except that Exchange makes your AD domain the default accepted and e-mail address policy domain.  That's something you can change anytime, and many organizations do because they can't receive mail for their non-routable AD domain names like company.local.

    If you haven't deployed split-brain DNS, you should, and you should use the same URL hostnames both for the external and internal URLs, and that, of course, would be the external routable name.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, February 4, 2017 3:06 AM
    Moderator
  • Any update with this issue? Please feel free to let us know.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 7, 2017 3:33 AM
    Moderator
  • Hi All,

    I'm still trying to schedule that with customer. I still not have the ok for the change. Will update the case as soon as i did.

    Thank you

    Thursday, February 9, 2017 5:03 PM
  • Well,  I will wait for your updates.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 10, 2017 2:40 AM
    Moderator
  • Hello All,

    The problem is fixed, it was the internal URLs which used the old domain. Changed them and all it's ok now.

    Many thanks.

    Regards.

    Rachid

    Saturday, February 25, 2017 8:48 PM
  • Great, thanks for your sharing and effort.
    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 3:15 AM
    Moderator