It's certificate renewal time and I wanted to add a subject alternate name to the cert request. I have a limit of 5 domains on the type of cert we are going to renew. I need the following: - mail.mydomain.org - autodiscover.mydomain.org - mailserver.mydomain.local - mailserver I would like to replace mail.mydomain.local with another name. When I originally requested a certificate two years ago (and then renewed it last year) I thought that this name might be needed. As far as I can see, it is not used anywhere and I would like to replace it with something else in my next certificate request (osmtp.mydomain.org). How could I determine this? Besides looking at my configuration in the EMC, I ran these commands in the EMS (below). Is there any other way, or anywhere else I should look? [PS] C:\>Get-OwaVirtualDirectory | findstr mail.myDomain.local [PS] C:\>Get-ClientAccessServer | findstr mail.myDomain.local [PS] C:\>Get-WebServicesVirtualDirectory | findstr mail.myDomain.local [PS] C:\>Get-OABVirtualDirectory | findstr mail.myDomain.local [PS] C:\>Get-OutlookAnywhere | findstr mail.myDomain.local [PS] C:\>Get-CASMailbox | findstr mail.myDomain.local [PS] C:\>Get-ActiveSyncVirtualDirectory | findstr mail.myDomain.local [PS] C:\>Get-OwaVirtualDirectory | fl | findstr mail.myDomain.local [PS] C:\>Get-ClientAccessServer | fl | findstr mail.myDomain.local [PS] C:\>Get-WebServicesVirtualDirectory | fl | findstr mail.myDomain.local [PS] C:\>Get-OABVirtualDirectory | fl | findstr mail.myDomain.local [PS] C:\>Get-OutlookAnywhere | fl | findstr mail.myDomain.local [PS] C:\>Get-CASMailbox | fl | findstr mail.myDomain.local [PS] C:\>Get-ActiveSyncVirtualDirectory | fl | findstr mail.myDomain.local [PS] C:\>

The recommendation now it to use as few numbers of certificates as possible. To quote from "Exchange 2010 Best Practices": In general. most deployments can get away with just using two name spaces: one for all of the IIS services and one for Autodiscover. As documented, there is no requirement for the host FQDN as a subject alternative name, with a few exceptions ... Actually, you can get away with one name space and use SRV for Autodiscover. This is in contrast to what for instance DigiCert's Exchange 2007 CSR Tool states: Microsoft recommends including your Exchange server's NetBIOS name, its FQDN, and autodiscover.yourdomain.com. In your case, I would remove mailserver and mail.mydomain.local. MCTS: Messaging | MCSE: S+M

Jon, Thanks for your input . But to use only mail.myDomain.org (and possibly autodiscover.myDomain.org), I would necessarily have to change quite a few URLs, or URIs, that reference mailserver.mydomain.local? I did this once, following directions on Elan Shudnow's blog, and that seemed to work of the most part. But Outlook Anywhere users were always prompted for a password and the dialog box referenced mailserver.mydomain.local Which may be normal for an initial connection from a machine located outside the network that has not authenticated as it would on the LAN? When the time came to renew the cert, I thought (perhaps incorrectly) that I might be able to eliminate that prompt by adding the FQDN of the mail server to the cert. But there is still the initial prompt. I've read some recommending that the names you mention be removed from (or not put on) the cert because anyone looking at the cert details could see the name of your internal mail server. Others have asserted that, to take advantage of that knowledge you'd have to already "own" the network.

Hi, Is the mail.mydomain.local name of the mailbox server or CAS server? How did you configure the Outlook Anywhere? And please run get-OutlookProvider -identity EXPR |fl command, and post here. Thanks AllenAllen Song

Thank you for your response Allen. mail.mydomain.local is not the name (FQDN) of anything - to my knowledge - since I modified most (if not all) the URLs for the various Exchange services. I thought I would ask and see if there might be any references to this name (original question). --------------------------------------------------------------------- Outlook Anywhere configuration? External host name is: mail.MYDOMAIN.org ----------------------------------------------------------------------- [PS] C:\>Get-OutlookAnywhere | fl ServerName : MyMailServer SSLOffloading : False ExternalHostname : mail.MYDOMAIN.org ClientAuthenticationMethod : Basic IISAuthenticationMethods : {Basic} MetabasePath : IIS://MyMailServer.MYDOMAIN.local/W3SVC/1/ROOT/Rpc Path : C:\Windows\System32\RpcProxy Server : MyMailServer AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Rpc (Default Web Site) DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MyMailServer,CN=Servers,CN=Exchange Administr ative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Se rvices,CN=Configuration,DC=MYDOMAIN,DC=local Identity : MyMailServer\Rpc (Default Web Site) Guid : 6a262cb5-4b08-49c3-b115-75b7bd194f52 ObjectCategory : MYDOMAIN.loc/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory} WhenChanged : 9/4/2010 7:55:51 AM WhenCreated : 9/4/2010 7:55:36 AM OriginatingServer : DC1.MYDOMAIN.local IsValid : True ----------------------------------------------------------- Here is the get-OutlookProvider cmdlet (as is, except for the obvious domain name change): [PS] C:\Windows\System32>get-OutlookProvider -identity EXPR |fl CertPrincipalName : Server : TTL : 1 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : EXPR DistinguishedName : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Services,CN=Co nfiguration,DC=MYDOMAIN,DC=local Identity : EXPR Guid : 73e9c2fe-64db-43fb-9415-86327babe124 ObjectCategory : MYDOMAIN.loc/Configuration/Schema/ms-Exch-Auto-Discover-Config ObjectClass : {top, msExchAutoDiscoverConfig} WhenChanged : 3/20/2009 4:11:41 PM WhenCreated : 3/20/2009 4:11:37 PM OriginatingServer : DC1.MYDOMAIN.local IsValid : True

Thank you for your response Allen. mail.mydomain.local is not the name (FQDN) of anything - to my knowledge - since I modified most (if not all) the URLs for the various Exchange services. I thought I would ask and see if there might be any references to this name (original question). --------------------------------------------------------------------- Outlook Anywhere configuration? External host name is: mail.MYDOMAIN.org ----------------------------------------------------------------------- [PS] C:\>Get-OutlookAnywhere | fl ServerName : MyMailServer SSLOffloading : False ExternalHostname : mail.MYDOMAIN.org ClientAuthenticationMethod : Basic IISAuthenticationMethods : {Basic} MetabasePath : IIS://MyMailServer.MYDOMAIN.local/W3SVC/1/ROOT/Rpc Path : C:\Windows\System32\RpcProxy Server : MyMailServer AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Rpc (Default Web Site) DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MyMailServer,CN=Servers,CN=Exchange Administr ative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Se rvices,CN=Configuration,DC=MYDOMAIN,DC=local Identity : MyMailServer\Rpc (Default Web Site) Guid : 6a262cb5-4b08-49c3-b115-75b7bd194f52 ObjectCategory : MYDOMAIN.loc/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory} WhenChanged : 9/4/2010 7:55:51 AM WhenCreated : 9/4/2010 7:55:36 AM OriginatingServer : DC1.MYDOMAIN.local IsValid : True ----------------------------------------------------------- Here is the get-OutlookProvider cmdlet (as is, except for the obvious domain name change): [PS] C:\Windows\System32>get-OutlookProvider -identity EXPR |fl CertPrincipalName : Server : TTL : 1 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : EXPR DistinguishedName : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Services,CN=Co nfiguration,DC=MYDOMAIN,DC=loc Identity : EXPR Guid : 73e9c2fe-64db-43fb-9415-86327babe124 ObjectCategory : MYDOMAIN.loc/Configuration/Schema/ms-Exch-Auto-Discover-Config ObjectClass : {top, msExchAutoDiscoverConfig} WhenChanged : 3/20/2009 4:11:41 PM WhenCreated : 3/20/2009 4:11:37 PM OriginatingServer : DC1.MYDOMAIN.loc IsValid : True