Solved

Windows internal domain name issue?

Posted on 2009-05-18
13
453 Views
Last Modified: 2012-05-07
A few years ago when we were designing our first Windows domain so we contacted a local consulting firm to discuss our options.  One topic of discussion was the name for our internal domain.  They informed us of the negatives of using our external domain name for the internal domain name so they came up with two suggestions, domain.local or domain.int.  We opted for the shorter of the two, domain.int.  Fast forward two years and we add our first Exchange server, no issues until we go to purchase a unified communications certificate.  The certificate authority informs us that they cannot issue a certificate that contains domain.int since .int is reserved for intergovernmental organizations.  We cannot rename our internal domain name since Exchange 2007 does not support it and ignoring the invalid name breaks certain features in Outlook 2007.  Do you see any other options?

Thanks
Mark
0
Comment
Question by:Herbein
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
Comment Utility
You don't have to get a SAN/UCC cert for domain.int itself.
The records needed are
autodiscover.yourexternaldomain.com
mail.yourexternaldomain.com
netbios name of your exchange server
fqdn of your exchange server, so eg will be exchange.domain.int

Check whether they would issue a cert to exchangeservername.domain.int?

Read for more info on records needed.
http://enchiparambil.com/ucc_san_certificate_for_exchange_2007.aspx
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Shoot the consultant that recommended .int?

I think your only real option is to shift over to a new domain / forest, which is really unpleasant.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It won't be allowed. To get to exchange.domain.int you'd have to prove ownership of domain.int, they won't issue a certificate to exchange.domain.int without ownership of the parent.

Chris
0
 

Author Comment

by:Herbein
Comment Utility
I believe Chris is correct that I cannot purchase a certificate that contains domain.int without owning the parent and I cannot because of the requirements.

Any other options other than a new domain name?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
Comment Utility
If you can't get a certificate, then a new domain name is your only option.
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
For external access (OWA, for example), get a certificate for mail.YOURREALDOMAIN.com.  For internal needs, use AD to issue your own security certificates.  You can issue your own certificate for a .int and it will work as long as you are not trying to publish it externally (which you shouldn't anyway, since you don't own the domain).

Before I go any furter with a "how to" for internally issued certificates, I need to know what version of Windows 2003 you are using for AD and if you have any Windows 2008 servers running in your domain.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Herbein
Comment Utility
We have a certificate for IIS and that works perfectly for OWA.  I also have a self signed certificate for SMTP and that seems to be working fine.  What we found that is broken is the offline address book.  It only looks for the fqdn of the exchange server but I cant change the IIS certificate because that will break OWA.  I am not sure if any other functionality is broken since the majority of our users access Exchange with Outlook 2003.

Our Exchange server is on Windows 2008 and all other servers in the domain are 2003 R2.
0
 
LVL 24

Assisted Solution

by:Rajith Enchiparambil
Rajith Enchiparambil earned 100 total points
Comment Utility
The only other way is to use an internal CA. Though it will take more steps to make it work for ActiveSync etc, that is your only other option.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

I agree, an internal trusted CA isn't such a bad plan here. At least you can post its certificate into the trusted store via Group Policy. Doesn't much help for external connections, or anywhere you can't control the certificate store, but it should allow internal processes to work.

Chris
0
 

Author Comment

by:Herbein
Comment Utility
Do you think anything will change making my problem better/worse with Exchange 2010?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 150 total points
Comment Utility
Exchange 2010 is based on Exchange 2007, so there will be no change there.
If you have an internal domain that you cannot get a certificate for, then it can be worked around.

You must have an internal DNS zone for your public DNS, so that you can publish autodiscover.example.com and your preferred OWA address internally with the internal IP address. Then all URLs within Exchange are changed to use the public name. It can be done, it is just hard work and a lot testing involved to make sure that you have got every single reference changed.

Simon.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
Comment Utility

The work-arounds will probably get you through this one, but I would suggest that in the slightly longer term you plan for a move to a domain name. It's a lot of work, but it's unlikely to get any easier in the future.

Chris
0
 

Author Comment

by:Herbein
Comment Utility
Thanks for everyone's help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now