Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 462
  • Last Modified:

Windows internal domain name issue?

A few years ago when we were designing our first Windows domain so we contacted a local consulting firm to discuss our options.  One topic of discussion was the name for our internal domain.  They informed us of the negatives of using our external domain name for the internal domain name so they came up with two suggestions, domain.local or domain.int.  We opted for the shorter of the two, domain.int.  Fast forward two years and we add our first Exchange server, no issues until we go to purchase a unified communications certificate.  The certificate authority informs us that they cannot issue a certificate that contains domain.int since .int is reserved for intergovernmental organizations.  We cannot rename our internal domain name since Exchange 2007 does not support it and ignoring the invalid name breaks certain features in Outlook 2007.  Do you see any other options?

Thanks
Mark
0
Herbein
Asked:
Herbein
  • 4
  • 4
  • 3
  • +2
3 Solutions
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
You don't have to get a SAN/UCC cert for domain.int itself.
The records needed are
autodiscover.yourexternaldomain.com
mail.yourexternaldomain.com
netbios name of your exchange server
fqdn of your exchange server, so eg will be exchange.domain.int

Check whether they would issue a cert to exchangeservername.domain.int?

Read for more info on records needed.
http://enchiparambil.com/ucc_san_certificate_for_exchange_2007.aspx
0
 
Chris DentPowerShell DeveloperCommented:

Shoot the consultant that recommended .int?

I think your only real option is to shift over to a new domain / forest, which is really unpleasant.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

It won't be allowed. To get to exchange.domain.int you'd have to prove ownership of domain.int, they won't issue a certificate to exchange.domain.int without ownership of the parent.

Chris
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
HerbeinAuthor Commented:
I believe Chris is correct that I cannot purchase a certificate that contains domain.int without owning the parent and I cannot because of the requirements.

Any other options other than a new domain name?
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
If you can't get a certificate, then a new domain name is your only option.
0
 
Justin OwensITIL Problem ManagerCommented:
For external access (OWA, for example), get a certificate for mail.YOURREALDOMAIN.com.  For internal needs, use AD to issue your own security certificates.  You can issue your own certificate for a .int and it will work as long as you are not trying to publish it externally (which you shouldn't anyway, since you don't own the domain).

Before I go any furter with a "how to" for internally issued certificates, I need to know what version of Windows 2003 you are using for AD and if you have any Windows 2008 servers running in your domain.
0
 
HerbeinAuthor Commented:
We have a certificate for IIS and that works perfectly for OWA.  I also have a self signed certificate for SMTP and that seems to be working fine.  What we found that is broken is the offline address book.  It only looks for the fqdn of the exchange server but I cant change the IIS certificate because that will break OWA.  I am not sure if any other functionality is broken since the majority of our users access Exchange with Outlook 2003.

Our Exchange server is on Windows 2008 and all other servers in the domain are 2003 R2.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
The only other way is to use an internal CA. Though it will take more steps to make it work for ActiveSync etc, that is your only other option.
0
 
Chris DentPowerShell DeveloperCommented:

I agree, an internal trusted CA isn't such a bad plan here. At least you can post its certificate into the trusted store via Group Policy. Doesn't much help for external connections, or anywhere you can't control the certificate store, but it should allow internal processes to work.

Chris
0
 
HerbeinAuthor Commented:
Do you think anything will change making my problem better/worse with Exchange 2010?
0
 
MesthaCommented:
Exchange 2010 is based on Exchange 2007, so there will be no change there.
If you have an internal domain that you cannot get a certificate for, then it can be worked around.

You must have an internal DNS zone for your public DNS, so that you can publish autodiscover.example.com and your preferred OWA address internally with the internal IP address. Then all URLs within Exchange are changed to use the public name. It can be done, it is just hard work and a lot testing involved to make sure that you have got every single reference changed.

Simon.
0
 
Chris DentPowerShell DeveloperCommented:

The work-arounds will probably get you through this one, but I would suggest that in the slightly longer term you plan for a move to a domain name. It's a lot of work, but it's unlikely to get any easier in the future.

Chris
0
 
HerbeinAuthor Commented:
Thanks for everyone's help.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 4
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now