Internal DNS belongs to another company
I have an exchange 2007 domain for example sake called abc.com. Our company however is called xyz.com. Historically we have utlized both abc.com and xyz.com names in our SAN certificate however we are no longer able to utilize the abc.com domain externally. Can split brain DNS help me?
iamshergill
Could you please eloubrate what does you mean by "we are no longer able to utilize the abc.com domain externally"?
It sounds like something has changed with either your MX or CN record for abc.
Check with your ISP, or whoever did the DNS registrations for you.
Check with your ISP, or whoever did the DNS registrations for you.
Provide me below information:
- Internal users are able to send mail to each other.
- What happens if external users send mail to abc.com and xyz.com? Is there any NDR Message that sender receives?
- Internal users are able to send mail to each other.
- What happens if external users send mail to abc.com and xyz.com? Is there any NDR Message that sender receives?
ASKER
the domain abc.com belongs to another organization and are no longer be able to use it.
Hello JRE,
If abc.com belongs to another organization and you are not getting mails from external users in your messaging system for abc.com, it means that organization might have changed MX record.
Please go to www.mxtoolbox.com and enter your domain (abc.com). See MX record and whether the IP address is pointing to your server?
If abc.com belongs to another organization and you are not getting mails from external users in your messaging system for abc.com, it means that organization might have changed MX record.
Please go to www.mxtoolbox.com and enter your domain (abc.com). See MX record and whether the IP address is pointing to your server?
ASKER
To elaborate, someone prior to me created our domain with abc.com, not understanding that abc.com is an actual public company and belongs to another organization, or maybe they thought we would never have email (it's been quite some time now since it was created). They within the past 3 years installed exchange 2007 and created a san certificate with both domains to accomodate this configuration. We have recently been contacted by the other organization noting that they will be utilzing their domain name next year. I am tasked to resolve this issue without recreating our domain or Exchange 2007.
Once you've installed Exchange 2007 you can no longer use the Domain Rename tool. If the AD Domain is called that it leaves little space for movement, typically leaving you with the migrate to a new forest option.
It won't stop you trying it, but it does have a big fat "not supported" flag, meaning if it breaks there's not much anyone can do to help you.
For reference: http://support.microsoft.com/kb/925822/en-us
I suggest you start looking at a migration if you need to relinquish abc.com.
Chris
If another organization is using domain abc.com, technically and legally you can not use that domain publicaly. However if your Active Directory domain is name is abc.com, that is something internal and you need not to change A.D. domain name. User's may have email address @abc.com and internally it will work.
But to accept mails from internet, you need to add additional domain in accept list (@xyz.com) and recipient list and make this as primary SMTP address for the user. you would have to request for new certificate with single domain name @xyz.com
Please let me know if your query is resolved.
But to accept mails from internet, you need to add additional domain in accept list (@xyz.com) and recipient list and make this as primary SMTP address for the user. you would have to request for new certificate with single domain name @xyz.com
Please let me know if your query is resolved.
Recipient List** = Recipient Policy
ASKER
exchange is configured to accept email from domains abc.com and xyz.com. The problem is that soon we will need to update our SAN certificate only to reflect entries from xyz.com. Our internal domain remains abc.com. I am looking to see if there is a way to resolve OWA internally with abc.com using ssl and resolve OWA externally using ssl for xyz.com
how many CAS you have?
ASKER
I'll try to explain my situation a bit differently:
We have two domains. Our internal domain was created for private use only. However, our internal domain is actually another organizations public domain. Why this was done? I dont know.
Our company then decided to add email. Our internal name does not correspond with our company name so we registered our public domain name with our company name.
The error was then realized that we could not utlize our private domain name on the internet because it belonged to another organization. Because of the relationship between the two companies which exists, our organization has been granted rights to utilize their domain nami.e.- we added their public domain name to our SAN certificate.
Fast forwarding, I am now tasked with resolving the issue of how do I allow access for both internal and external OWA users, Outlook AnyWhere users, etc once we remove our private domain name from our SAN certificate. We have ISA front ending this debacle as well, but I believe I can figure that component out if I can understand the framework to resolve the core issue.
I was thinking that setting up split brain DNS would allow me to resolve users internally and externally with the correct records in place. I still have the issue of the certificate error.
We have two domains. Our internal domain was created for private use only. However, our internal domain is actually another organizations public domain. Why this was done? I dont know.
Our company then decided to add email. Our internal name does not correspond with our company name so we registered our public domain name with our company name.
The error was then realized that we could not utlize our private domain name on the internet because it belonged to another organization. Because of the relationship between the two companies which exists, our organization has been granted rights to utilize their domain nami.e.- we added their public domain name to our SAN certificate.
Fast forwarding, I am now tasked with resolving the issue of how do I allow access for both internal and external OWA users, Outlook AnyWhere users, etc once we remove our private domain name from our SAN certificate. We have ISA front ending this debacle as well, but I believe I can figure that component out if I can understand the framework to resolve the core issue.
I was thinking that setting up split brain DNS would allow me to resolve users internally and externally with the correct records in place. I still have the issue of the certificate error.
ASKER
we are load balancing 2 cas servers
One more solution...
I believe the whole issue is because you wants to use single domain name to access OWA. If so, below is the solution:
- In DNS, create new zone with "xyz.com" name.
- Create a host record (ex. mail) in xyz.com zone which should point to your CAS.
- Get a certificate for xyz.com domain name only.
- Create a new Alias in abc.com and it should point to mail.xyz.com
You should tell all users to access htts://mail.xyz.com/owa (incase of exchange 2003 https://mail.xyz.com/exchange). Uses will be now be able to access OWA. Incase if any user type https://mail.abc.com/exchagne or https://mail.xyz.com/exchange, it will redirect to https://mail.xyz.com.
I believe this should fix your problem.
I believe the whole issue is because you wants to use single domain name to access OWA. If so, below is the solution:
- In DNS, create new zone with "xyz.com" name.
- Create a host record (ex. mail) in xyz.com zone which should point to your CAS.
- Get a certificate for xyz.com domain name only.
- Create a new Alias in abc.com and it should point to mail.xyz.com
You should tell all users to access htts://mail.xyz.com/owa (incase of exchange 2003 https://mail.xyz.com/exchange). Uses will be now be able to access OWA. Incase if any user type https://mail.abc.com/exchagne or https://mail.xyz.com/exchange, it will redirect to https://mail.xyz.com.
I believe this should fix your problem.
It won't redirect unless you do "something" on the web service.
Chris
Chris
Dear JRE_Associates,
Sorry to be bit rude, the way you just explained (ID: 34916178) your problem, is the correct way. you should elabourate your problem in starting in the same manner which could save our time.
Now i believe all my answers and question of no good.
Give me some time to provide your solution as per your new (Comment ID: 34916178).
Sorry to be bit rude, the way you just explained (ID: 34916178) your problem, is the correct way. you should elabourate your problem in starting in the same manner which could save our time.
Now i believe all my answers and question of no good.
Give me some time to provide your solution as per your new (Comment ID: 34916178).
ASKER
Thus far I've already done what you've said except creating the alias in abc.com which is the private domain. What would that be for?
ASKER
No need to apologize. I realized that I was not effectively communicating which is why I explained it differently. Thank you for the insight.
ASKER
FYI - we are using Exchange 2007
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your insight with this problem. This answer was partially correct and I certainly appreciate all your insight into this matter. I stated in the previous note that we are not able to renew the certificate with the other organizations name... even if it is only for our internal private use. Nonetheless the process you provided earlier was on the right track:
1.) Create new SAN certificate with only my public namespace
2.) Created internal DNS zone for public namespace.
3.) Create SAN certificate records in new DNS zone
4.) Ensure all clients internal only utilize internal DNS to all name resolution.
5.) Install SAN certificate on CAS server.
6.) Export all certificates to appropriate servers - ISA, CAS, Edge, etc.
7.) Point all internal and external Exchange URL's to public namespace - https: mail.mycompany.org/owa (which is being resolved internally)
8.) Inform all internal users to connect to OWA with the
distributed link from #7
As they say - The devil is in the detail. In my situation I have NLB CAS/HUB, EDGE, and ISA2006 servers to contend with. I didnt document all the gory details involved but will at somepoint place all the information out for everyone who may have this same unfortunate circumstance as well.
Thank you again for all your assistance.
1.) Create new SAN certificate with only my public namespace
2.) Created internal DNS zone for public namespace.
3.) Create SAN certificate records in new DNS zone
4.) Ensure all clients internal only utilize internal DNS to all name resolution.
5.) Install SAN certificate on CAS server.
6.) Export all certificates to appropriate servers - ISA, CAS, Edge, etc.
7.) Point all internal and external Exchange URL's to public namespace - https: mail.mycompany.org/owa (which is being resolved internally)
8.) Inform all internal users to connect to OWA with the
distributed link from #7
As they say - The devil is in the detail. In my situation I have NLB CAS/HUB, EDGE, and ISA2006 servers to contend with. I didnt document all the gory details involved but will at somepoint place all the information out for everyone who may have this same unfortunate circumstance as well.
Thank you again for all your assistance.
ASKER
Please note that comment : 02/17/11 08:21 AM, ID: 34916204
was the correct answer. This is my first time using this service so I made a mistake in chosing the right comment.
was the correct answer. This is my first time using this service so I made a mistake in chosing the right comment.