Solved

Windows internal domain name issue?

Posted on 2009-05-18
13
457 Views
Last Modified: 2012-05-07
A few years ago when we were designing our first Windows domain so we contacted a local consulting firm to discuss our options.  One topic of discussion was the name for our internal domain.  They informed us of the negatives of using our external domain name for the internal domain name so they came up with two suggestions, domain.local or domain.int.  We opted for the shorter of the two, domain.int.  Fast forward two years and we add our first Exchange server, no issues until we go to purchase a unified communications certificate.  The certificate authority informs us that they cannot issue a certificate that contains domain.int since .int is reserved for intergovernmental organizations.  We cannot rename our internal domain name since Exchange 2007 does not support it and ignoring the invalid name breaks certain features in Outlook 2007.  Do you see any other options?

Thanks
Mark
0
Comment
Question by:Herbein
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24413496
You don't have to get a SAN/UCC cert for domain.int itself.
The records needed are
autodiscover.yourexternaldomain.com
mail.yourexternaldomain.com
netbios name of your exchange server
fqdn of your exchange server, so eg will be exchange.domain.int

Check whether they would issue a cert to exchangeservername.domain.int?

Read for more info on records needed.
http://enchiparambil.com/ucc_san_certificate_for_exchange_2007.aspx
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24413516

Shoot the consultant that recommended .int?

I think your only real option is to shift over to a new domain / forest, which is really unpleasant.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24413532

It won't be allowed. To get to exchange.domain.int you'd have to prove ownership of domain.int, they won't issue a certificate to exchange.domain.int without ownership of the parent.

Chris
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 

Author Comment

by:Herbein
ID: 24413858
I believe Chris is correct that I cannot purchase a certificate that contains domain.int without owning the parent and I cannot because of the requirements.

Any other options other than a new domain name?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24413912
If you can't get a certificate, then a new domain name is your only option.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 24413985
For external access (OWA, for example), get a certificate for mail.YOURREALDOMAIN.com.  For internal needs, use AD to issue your own security certificates.  You can issue your own certificate for a .int and it will work as long as you are not trying to publish it externally (which you shouldn't anyway, since you don't own the domain).

Before I go any furter with a "how to" for internally issued certificates, I need to know what version of Windows 2003 you are using for AD and if you have any Windows 2008 servers running in your domain.
0
 

Author Comment

by:Herbein
ID: 24414229
We have a certificate for IIS and that works perfectly for OWA.  I also have a self signed certificate for SMTP and that seems to be working fine.  What we found that is broken is the offline address book.  It only looks for the fqdn of the exchange server but I cant change the IIS certificate because that will break OWA.  I am not sure if any other functionality is broken since the majority of our users access Exchange with Outlook 2003.

Our Exchange server is on Windows 2008 and all other servers in the domain are 2003 R2.
0
 
LVL 24

Assisted Solution

by:Rajith Enchiparambil
Rajith Enchiparambil earned 100 total points
ID: 24414808
The only other way is to use an internal CA. Though it will take more steps to make it work for ActiveSync etc, that is your only other option.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24414965

I agree, an internal trusted CA isn't such a bad plan here. At least you can post its certificate into the trusted store via Group Policy. Doesn't much help for external connections, or anywhere you can't control the certificate store, but it should allow internal processes to work.

Chris
0
 

Author Comment

by:Herbein
ID: 24415062
Do you think anything will change making my problem better/worse with Exchange 2010?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 150 total points
ID: 24417713
Exchange 2010 is based on Exchange 2007, so there will be no change there.
If you have an internal domain that you cannot get a certificate for, then it can be worked around.

You must have an internal DNS zone for your public DNS, so that you can publish autodiscover.example.com and your preferred OWA address internally with the internal IP address. Then all URLs within Exchange are changed to use the public name. It can be done, it is just hard work and a lot testing involved to make sure that you have got every single reference changed.

Simon.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 24419933

The work-arounds will probably get you through this one, but I would suggest that in the slightly longer term you plan for a move to a domain name. It's a lot of work, but it's unlikely to get any easier in the future.

Chris
0
 

Author Comment

by:Herbein
ID: 24420837
Thanks for everyone's help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question