Solved

Internal DNS belongs to another company

Posted on 2011-02-16
22
889 Views
Last Modified: 2012-05-11
I have an exchange 2007 domain for example sake called abc.com.  Our company however is called xyz.com.  Historically we have utlized both abc.com and xyz.com names in our SAN certificate however we are no longer able to utilize the abc.com domain externally.  Can split brain DNS help me?
0
Comment
Question by:JRE_Associates
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 3

Expert Comment

by:iamshergill
ID: 34914094
Could you please eloubrate what does you mean by "we are no longer able to utilize the abc.com domain externally"?
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 34914415
It sounds like something has changed with either your MX or CN record for abc.
Check with your ISP, or whoever did the DNS registrations for you.
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34914634
Provide me below information:

- Internal users are able to send mail to each other.
- What happens if external users send mail to abc.com and xyz.com? Is there any NDR Message that sender receives?


0
 

Author Comment

by:JRE_Associates
ID: 34915062
the domain abc.com belongs to another organization and are no longer be able to use it.
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34915086
Hello JRE,

If abc.com belongs to another organization and you are not getting mails from external users in your messaging system for abc.com, it means that organization might have changed MX record.

Please go to www.mxtoolbox.com and enter your domain (abc.com). See MX record and whether the IP address is pointing to your server?
0
 

Author Comment

by:JRE_Associates
ID: 34915137
To elaborate, someone prior to me created our domain with abc.com, not understanding that abc.com is an actual public company and belongs to another organization, or maybe they thought we would never have email (it's been quite some time now since it was created).  They within the past 3 years installed exchange 2007 and created a san certificate with both domains to accomodate this configuration.  We have recently been contacted by the other organization noting that they will be utilzing their domain name  next year.  I am tasked to resolve this issue without recreating our domain or Exchange 2007.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34915160

Once you've installed Exchange 2007 you can no longer use the Domain Rename tool. If the AD Domain is called that it leaves little space for movement, typically leaving you with the migrate to a new forest option.

It won't stop you trying it, but it does have a big fat "not supported" flag, meaning if it breaks there's not much anyone can do to help you.

For reference: http://support.microsoft.com/kb/925822/en-us

I suggest you start looking at a migration if you need to relinquish abc.com.

Chris
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34915800
If another organization is using domain abc.com, technically and legally you can not use that domain publicaly. However if your Active Directory domain is name is abc.com, that is something internal and you need not to change A.D. domain name. User's may have email address @abc.com and internally it will work.

But to accept mails from internet, you need to add additional domain in accept list (@xyz.com) and recipient list and make this as primary SMTP address for the user. you would have to request for new certificate with single domain name @xyz.com

Please let me know if your query is resolved.
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34915819
Recipient List** = Recipient Policy
0
 

Author Comment

by:JRE_Associates
ID: 34915916
exchange is configured to accept email from domains abc.com and xyz.com.  The problem is that soon we will need to update our SAN certificate only to reflect entries from xyz.com.  Our internal domain remains abc.com.  I am looking to see if there is a way to resolve OWA internally with abc.com using ssl and resolve OWA externally using ssl for xyz.com
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34916012
how many CAS you have?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:JRE_Associates
ID: 34916178
I'll try to explain my situation a bit differently:
We have two domains.  Our internal domain was created for private use only.  However, our internal domain is actually another organizations public domain.  Why this was done?  I dont know.
Our company then decided to add email.  Our internal name does not correspond with our company name so we registered our public domain name with our company name.  

The error was then realized that we could not utlize our private domain name on the internet because it belonged to another organization.  Because of the relationship between the two companies which exists, our organization has been granted rights to utilize their domain nami.e.- we added their public domain name to our SAN certificate.

Fast forwarding, I am now tasked with resolving the issue of how do I  allow access for both internal and external OWA users, Outlook AnyWhere users, etc once we remove our private domain name from our SAN certificate.   We have ISA front ending this debacle as well, but I believe I can figure that component out if I can understand the framework to resolve the core issue.  

I was thinking that setting up split brain DNS would allow me to resolve users internally and externally with the correct records in place.  I still have the issue of the certificate error.
0
 

Author Comment

by:JRE_Associates
ID: 34916184
we are load balancing 2 cas servers
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34916204
One more solution...

I believe the whole issue is because you wants to use single domain name to access OWA. If so, below is the solution:

- In DNS, create new zone with "xyz.com" name.
- Create a host record (ex. mail) in xyz.com zone which should point to your CAS.
- Get a certificate for xyz.com domain name only.
- Create a new Alias in abc.com and it should point to mail.xyz.com
You should tell all users to access htts://mail.xyz.com/owa (incase of exchange 2003 https://mail.xyz.com/exchange). Uses will be now be able to access OWA. Incase if any user type https://mail.abc.com/exchagne or https://mail.xyz.com/exchange, it will redirect to https://mail.xyz.com.

I believe this should fix your problem.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34916235
It won't redirect unless you do "something" on the web service.

Chris
0
 
LVL 3

Expert Comment

by:iamshergill
ID: 34916261
Dear JRE_Associates,

Sorry to be bit rude, the way you just explained (ID: 34916178) your problem, is the correct way. you should elabourate your problem in starting in the same manner which could save our time.

Now i believe all my answers and question of no good.

Give me some time to provide your solution as per your new (Comment ID: 34916178).
0
 

Author Comment

by:JRE_Associates
ID: 34916262
Thus far I've already done what you've said except creating the alias in abc.com which is the private domain.  What would that be for?
0
 

Author Comment

by:JRE_Associates
ID: 34916305
No need to apologize.  I realized that I was not effectively communicating which is why I explained it differently.  Thank you for the insight.
0
 

Author Comment

by:JRE_Associates
ID: 34916360
FYI - we are using Exchange 2007
0
 
LVL 3

Accepted Solution

by:
iamshergill earned 500 total points
ID: 34924467
Lets say.....
Internal Domain + Other Organization domain: internal.com

Company Name (Domain):companya.com

Certificate SAN:
internal.com
companya.com
_______________________
Solution:
Now in your internal domain, you have to do below steps:

- On DNS server, create a new zone with name companya.com. In this zone, create a new host record which should point your CAS server. Like mail.companya.com
- On DNS server, in internal.com zone, create a alias which should point to mail.companya.com

- Go to Exchange Management Console > Server Configuration > Select Server > In down side, under "Outlook Web Access" tab, select "OWA (default Web Site)" > Properties
- Set Internal URL and External URL as https://mail.companya.com/owa


*Note: You need not to remove internal.com domain name from any where from your messaging system of A.D. Until unless it is not published, it will not make any effect on your messaging system. You need just remove MX record for internal.com domain from Internet DNS server.







0
 

Author Closing Comment

by:JRE_Associates
ID: 34935739
Thank you for your insight with this problem.  This answer was partially correct and I certainly appreciate all your insight into this matter.  I stated in the previous note that we are not able to renew the certificate with the other organizations name... even if it is only for our internal private use.  Nonetheless the process you provided earlier was on the right track:

1.) Create new SAN certificate with only my public namespace
2.) Created internal DNS zone for public namespace.
3.) Create SAN certificate records in new DNS zone
4.) Ensure all clients internal only utilize internal DNS to all name resolution.
5.) Install SAN certificate on CAS server.
6.) Export all certificates to appropriate servers - ISA, CAS, Edge, etc.
7.) Point all internal and external Exchange URL's to public namespace - https: mail.mycompany.org/owa (which is being resolved internally)
8.) Inform all internal users to connect to OWA with the
distributed link from #7

As they say - The devil is in the detail.  In my situation I have NLB CAS/HUB, EDGE, and ISA2006 servers to contend with.  I didnt document all the gory details involved but will at somepoint place all the information out for everyone who may have this same unfortunate circumstance as well.  

Thank you again for all your assistance.
0
 

Author Comment

by:JRE_Associates
ID: 34935747
Please note that comment : 02/17/11 08:21 AM, ID: 34916204
was the correct answer.  This is my first time using this service so I made a mistake in chosing the right comment.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now