Internal name and reserved IP address certificates will expire by October 31, 2015. If you are reading this blog because you are knee-deep in replacing your publicly trusted internal name certificates, you have come to the right place. If you are just learning about replacing your internal name certificates, see our previous post Replacing Your Internal Name Certificates.
This post will cover how to reconfigure your Exchange server to use a publicly registered domain name. This process will only affect your Exchange Autodiscover settings, so mail clients will know to connect to Exchange using your registered domain name rather than an internal name. This will not actually change your server name or AD domain.
We recommend subscribing to this blog. We will keep it updated if additional information or changes are required. Also, please feel free to leave comments or questions. We will answer questions as they are received.
Prerequisites Internal Name Tool Exchange Management Shell (EMS)
Before you reconfigure your Exchange Autodiscover settings to use a publicly registered domain name, you must complete the following prerequisites:
Install and enable your reissued certificate on all of your CAS servers. Below are links to instructions that can help you get your certificate installed:
The server must have the Exchange Client Access Server role. Your custom Exchange setup may have multiple servers with this role.
You only need to run the Internal Name Tool or Exchange Management Shell (EMS) commands on one CAS server, and it will update the configuration for all of them.
In the Exchange Management Shell, run the following commands to check which servers are CAS servers (servers with CAS role):
Get-ClientAccessServer
Get-ExchangeServer | fl Name, ServerRole
The output will look something like this:
Name : WIN-B8H99E6AN82
ServerRole : Mailbox, ClientAccess
To ensure access to the required commands, the user who runs the Internal Name Tool or EMS commands must have the Organization Management role.
Set up DNS records to resolve the external domain names to the internal IP address that clients will use to access Exchange.
If you plan to use a Client Access Array, we recommend that you set this up in advance with the domain name you are using when reconfiguring Exchange.
After you’ve completed all the prerequisites, you are ready to use the DigiCert Internal Name Tool or the Exchange Management Shell to reconfigure your Exchange server.
To reconfigure your Exchange Autodiscover settings, we recommend using the DigiCert® Internal Name Tool. We designed this tool specifically to make your move from internal names to registered domain names easy and less painful.
Using the Internal Name Tool to Reconfigure Exchange Autodiscover Settings OutlookAnywhere Setting How to Roll Back to Your Previous Autodiscover Settings Troubleshooting
Click here to download tool.
The drop-down list is populated with the names found in the certificate currently enabled on the IIS role of the CAS servers. If you don’t see your registered domain name in the list, you may need to check that the certificate is correctly installed and enabled on all your CAS servers.
Note: This domain name should be the domain name that clients will use to connect to Exchange.
Your clients will connect to the Autodiscover service, learn the new settings, and connect to the Exchange server using the external name.
No more certificate name mismatch error!
Get-OutlookAnywhere -Identity "HostNameRpc (Default Web Site)" | fl InternalHostname, InternalClientsRequireSsl
InternalHostname : internaldomain.localInternalClientsRequireSsl : True
InternalHostname
is blank, if the InternalHostname
is a publicly registered domain name, or if InternalClientsRequiredSsl
is False
, you probably don’t need to reconfigure this setting (i.e. run the “set” command for that setting).Set-OutlookAnywhere -Identity "HostNameRpc (Default Web Site)" –InternalHostname mail.yourdomain.com -InternalClientsRequireSsl $true
No more "The settings for OutlookAnywhere could not be read" errors!
RollbackExchangeInternalNameScript.ps1
Change "InternalHostname"
to the name you recorded when running the Get-OutlookAnywhere
command.
Finally, to force these commands to take effect, you must make IIS push your changes by recycling the application pools.
In the Windows Start menu or from the Start screen, type inetmgr.
If you encounter a “settings could not be read” error message, do the following:
1. Check your permissions. Specifically, check to make sure that you have the Organization Management role assigned to you. See Prerequisites for Reconfiguring Your Exchange Server.
2. Rerun the Internal Name Tool, making sure that you run it as administrator. See Using the Internal Name Tool to Reconfigure Exchange Autodiscover Settings.
If any of your items fail and your problem is not covered in this Troubleshooting section, do the following:
1. Click the more info link to determine the cause.
2. If all else fails, use Google to research the error/warning.
3. Correct the problem.
4. Rerun the Internal Names Tool.
If you run into any problems that cannot be resolved, please try using the Exchange Management Shell to reconfigure your Exchange servers.
In many Exchange environments, the OutlookAnywhere InternalHostname setting is not configured or does not need to be changed. If the above steps fixed your Exchange client certificate warnings, don’t worry about updating this setting.
For those who don’t know if the setting is needed in your environment, you can run a command to check and/or record the setting in case a roll back is needed.
If necessary, after you use the DigiCert Internal Name Tool to reconfigure your Exchange servers, you can use the RollbackExchangeInternalNameScript.ps1 to roll back Autodiscover to your previous settings.
If for some reason you cannot use the Internal Name Tool, you can use Exchange Management Shell (EMS) to reconfigure your Exchange Autodiscover and other settings.
Before you begin reconfiguring your Exchange server’s settings, you need to run some “get” commands so you can verify which settings actually need to be changed. This also gives you the opportunity to record your settings should you need to roll back to them for some reason.
Get-ClientAccessServer -Identity HostName | fl AutodiscoverServiceInternalUri
Get-WebServicesVirtualDirectory -Identity "HostNameEWS (Default Web Site)" | fl InternalUrl
Get-OabVirtualDirectory -Identity "HostNameoab (Default Web Site)" | fl InternalUrl
Get-ActiveSyncVirtualDirectory -Identity "HostNameMicrosoft-Server-ActiveSync (Default Web Site)" | fl InternalUrl
Get-OwaVirtualDirectory -Identity "HostNameowa (Default Web Site)" | fl InternalUrl
Get-EcpVirtualDirectory -Identity "HostNameecp (Default Web Site)" | fl InternalUrl
AutoDiscoverServiceInternalUri : https://internalname/Autodiscover/Autodiscover.xml
InternalUrl : https://internalname/EWS/Exchange.asmx
InternalUrl : https://internalname/OAB
InternalUrl : https://internalname/Microsoft-Server-ActiveSync
InternalUrl : https://internalname/owa
InternalUrl : https://internalname/ecp
In many Exchange environments, the OutlookAnywhere InternalHostname setting on your Exchange server is not configured. So if you didn’t configure it, don’t worry about updating this setting.
For those of you who did configure it or for those of you who don’t know if the setting was configured, you can run a command to check and/or record the setting (in case a rollback is needed).
Get-OutlookAnywhere -Identity "HostNameRpc (Default Web Site)" | fl InternalHostname, InternalClientsRequireSsl
InternalHostname : InternalHostnameInternalClientsRequireSsl : True
InternalHostname
is blank, if the InternalHostname
is a publicly registered domain name, or if InternalClientsRequiredSsl
is False
, you probably don’t need to reconfigure this setting (run the “set” command for that setting).
After verifying and recording your Exchange settings, run the following commands, as needed, to reconfigure your settings:
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "HostNameEWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "HostNameoab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
Set-ActiveSyncVirtualDirectory -Identity "HostNameMicrosoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"
Set-OWAVirtualDirectory -Identity "HostNameowa (Default Web Site)" -InternalUrl "https://mail.yourdomain.com/owa"
Set-ECPVirtualDirectory -Identity "HostNameecp (Default Web Site)" -InternalUrl "https://mail.yourdomain.com/ecp"
Set-OutlookAnywhere -Identity "HostNameRpc (Default Web Site)" –InternalHostname mail.yourdomain.com -InternalClientsRequireSsl $true
Finally, to force these commands to take effect, you must make IIS push your changes by recycling the application pools.
In the Windows Start menu or from the Start screen, type inetmgr.
Your clients will connect to the Autodiscover service, learn the new settings, and connect to the Exchange server using the external name.
No more certificate name mismatch error!
If necessary, after you reconfigure your Exchange server settings, you can roll back to your previous settings.
After verifying and recording your Exchange settings, run the following commands, as needed, to roll back your settings. Refer to the details you recorded when running the "get" commands.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://internalname/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "HostNameEWS (Default Web Site)" -InternalUrl https://internalname/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "HostNameoab (Default Web Site)" -InternalUrl https://internalname/oab
Set-ActiveSyncVirtualDirectory -Identity "HostNameMicrosoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://internalname/Microsoft-Server-ActiveSync"
Set-OWAVirtualDirectory -Identity "HostNameowa (Default Web Site)" -InternalUrl "https://internalname/owa"
Set-ECPVirtualDirectory -Identity "HostNameecp (Default Web Site)" -InternalUrl "https://internalname/ecp"
Set-OutlookAnywhere -Identity "HostnameRpc (Default Web Site)" -InternalHostname internalname -InternalClientsRequireSsl $true
Finally, to force these commands to take effect, you must make IIS push your changes by recycling the application pools.
In the Windows Start menu or from the Start screen, type inetmgr.