One of the great changes in Exchange 2013 is the simplification of namespaces. Where you in previous versions needed a handful, you can now stick with two. Well, you CAN do it with one actually.
The documentation on this is a huge ball of misconceptions and old best practices, so I decided it’ll be worth doing a simple tutorial on how to set it up. Once you know how to do it, it actually is fairly simple.
So I’m going to assume you’re running split-brain DNS (essentially meaning you have both you internal and external DNS zones in you internal DNS). If you don’t you’ll just have to make the changes in two different locations.
Your domain name is iloveexchange.com (don’t we all?), and your external domain name will be mail.iloveexchange.com
First off, you’ll need these DNS entries:
- A-record for mail.iloveexchange.com. This can point to either you CAS(es), or your load-balancer IP. Depending on your setup.
- A-record for autodiscover.iloveexchange.com pointing to the same as mail.iloveexchange.com OR
- SRV record for _autodiscover; _tcp on port 443 pointing to mail.iloveexchange.com/load-balancer
Now, the difference between a simple A-record and a SRV record, is the difference between one namespace and two. If you use an A-record (probably most common), when you type in your address (firstname.lastname@example.org), Outlook will check for autodiscover.iloveexchange.com. If you use an SRV record, that should override that; and Outlook will detect the service-record and look up whatever you point that to.
This is a failover thing, so if one doesn’t work, it’ll try the other. Still doesn’t matter what you choose. I usually use the A-record because I find it easier to verify (ping autodiscover.iloveexchange.com to see if it’s there). Checking the SRV record is a couple of more keypresses.
So going with the A-record you will need the following in you SSL-certificate:
Before you assign/request your certificate; you’d better make sure that there are no pointers to other URLs in your Exchange setup.
You can do this with powershell, or using the ECP. I use ECP for the first part here.
Go to Servers and virtual directories, and you’ll get a list of all of them:
For each and every one of them, you need to change so both internal and external urls are the same:
This goes for everything but powershell!! Don’t mess with powershell.
Once you’ve done this, you would think you were done, right? Not a single pointer to you servernames, all to mail.iloveexchange.com.
Not quite. You may have noticed that your autodiscover virtual directory doesn’t have an URL field. If you run Get-AutodiscoverVirtualDirectory in powershell, you will see that the URL fields are infact empty. That is because that the autodiscover URL isn’t actually a property of the virtual directory, but the CAS.
So what you need to do, is run
Set-ClientAccessServer -identity (server) -AutoDiscoverServiceInternalUri https://mail.iloveexchange.com/Autodiscover/Autodiscover.xml
For all of your servers (you can pipe it ofcourse).
If you skipped this step, you clients would get a certificate error on every startup. Saying the server name (internal FQDN) doesn’t match the ssl cert.
Good! Now all you have to do is request a certificate, or assign one if you already have one. I’m not going through that, there are other guides that cover that part; but you names should look like this (just remove everything else):
Fire away if you have questions!