?
Solved

We don't own our internal domain

Posted on 2010-09-03
17
Medium Priority
?
397 Views
Last Modified: 2012-05-10
Our internal domain is owned by someone else and they aren't selling.  I've purchased a UNC cert for the external domain but the issue I'm facing is, when we open up outlook we get an alert, "The name on the security certificate is invaild or does not match the name of the site."


I need this to go away, does anyone have a fix?
0
Comment
Question by:Puke Foo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 1000 total points
ID: 33597263
It does not really matter what your internal domain is called, what matters is that the url the user types matches the certificate on the exchange server, it is no different really than how most set ups go for example most domain will be called company.local but the email domain will be company.com However if your email domain is owned by someone else that's another story.
0
 
LVL 5

Expert Comment

by:pbeirne
ID: 33597339
Configure your certificate to use multiple client access server hostnames:

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 1000 total points
ID: 33597345
do you use split dns? have an external dns zone for yourdomain.com and an internal zone for yourdomain.com. (this is for your external presence, so the domain users use to access owa)

if you do, you can configure autodiscover and the web services to use a certificate that only uses your external domain presence
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33597349
As MojoTech stated your internal domain is just that internal so it doesn't matter what it is called.

The same goes for certificates in that it appears you went out and bought a public certificate for your external domain and are trying to use it for internal domain which will not work.

I suggest the following to resolve this:

Reference this technet article: http://technet.microsoft.com/en-us/library/bb457160.aspx

Get a version of Enterprise Edition of Windows Server 2003 or 2008 and setup a Stand Alone Root Certificate authority for your internal domain. Also setup a Enterprise Subordinate Certificate Authority. Once you've setup the Stand Alone root and issued a certificate to the Enterprise Subordinate the Root can and should be taken offline. You can then use the Enterprise Subordinate to issue certificates for your internal domain and to users via Active Directory.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33597381
example:
users access owa by going to https://owa.contoso.com/owa
your internal domain is microsoft.com (obvious you don't own that one :)

if you have an internal dns zone for contoso.com, you can configure your urls to use contoso.com and your certificate does not need the other domain name
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://owa.contoso.com/ews/exchange.asmx -ExternalURL https://owa.contoso.com/ews/exchange.asmx
Get-OabVirtaulDirectory | Set-OabVirtualDirectory -InternalURL https://owa.contoso.com/oab -ExternalURL https://owa.contoso.com/oab
Set-ClientAccessServer CASName -AutoDiscoverServiceInternalURI https://owa.contoso.com/autodiscover/autodiscover.xml
Set-OutlookAnywhere -Server CASName -ExternalHostName owa.contoso.com
0
 

Author Comment

by:Puke Foo
ID: 33598307
Nuttycomputer,

To be clear you're saying, I should create A records in my external dns zone, (on the internal dns server) for my casarray name/ mail server names and then change the autodiscover to point to the external zone as well as oab, free busy, etc...?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598480
you need to know what dns zones you have internally
you're configuration will depend on dns and the zones you have internally
0
 

Author Comment

by:Puke Foo
ID: 33598486
I have an internal dns zone for my external dns, that make sense?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598547
yes, what that means is you can configure all of your url values with the external name used by clients

here is an article
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 

Author Comment

by:Puke Foo
ID: 33598558
thanks, real quick, will I need to reconfigure my cas array as well?
0
 

Author Comment

by:Puke Foo
ID: 33598649
we do not have a split brain domain
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598720
you said you had an internal dns zone for external dns

you don't need to reconfigure your cas array, that is independent of these web services
0
 

Author Comment

by:Puke Foo
ID: 33598739
we do have an internal dns zone for the external dns, but the internal domain name is not ours, we do not own it.  So I can't get a cert for our internal dns domain name.  But I have created an internal zone for the external dns so we can resolve those external addresses internal.
0
 

Author Comment

by:Puke Foo
ID: 33598795
to be clear, we have an external dns domain, contoso.com, we have an internal domain for both AD and say it's, windows.com, we don't own windows.com, but I do have an internal zone for it.  But I can't get a cert for it because I don't own it.
0
 

Author Comment

by:Puke Foo
ID: 33598806
I meant to say we have an internal domain for both AD and DNS, called windows.com
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598822
your external domain is contoso.com
do you have an internal dns zone for contoso.com
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33599688
batstrading,

While you can't get a certificate for "windows.com" froma  public issuing authority because the domain is strictly used internally you don't need it to be issued by one.

You can install Certificate Services as I mentioned in my previous post and create the certificate yourself for the server. You can then distribute it to all internal clients.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question