Internal DNS belongs to another company

I have an exchange 2007 domain for example sake called abc.com.  Our company however is called xyz.com.  Historically we have utlized both abc.com and xyz.com names in our SAN certificate however we are no longer able to utilize the abc.com domain externally.  Can split brain DNS help me?
JRE_AssociatesAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
iamshergillConnect With a Mentor Commented:
Lets say.....
Internal Domain + Other Organization domain: internal.com

Company Name (Domain):companya.com

Certificate SAN:
internal.com
companya.com
_______________________
Solution:
Now in your internal domain, you have to do below steps:

- On DNS server, create a new zone with name companya.com. In this zone, create a new host record which should point your CAS server. Like mail.companya.com
- On DNS server, in internal.com zone, create a alias which should point to mail.companya.com

- Go to Exchange Management Console > Server Configuration > Select Server > In down side, under "Outlook Web Access" tab, select "OWA (default Web Site)" > Properties
- Set Internal URL and External URL as https://mail.companya.com/owa


*Note: You need not to remove internal.com domain name from any where from your messaging system of A.D. Until unless it is not published, it will not make any effect on your messaging system. You need just remove MX record for internal.com domain from Internet DNS server.







0
 
iamshergillCommented:
Could you please eloubrate what does you mean by "we are no longer able to utilize the abc.com domain externally"?
0
 
Chev_PCNCommented:
It sounds like something has changed with either your MX or CN record for abc.
Check with your ISP, or whoever did the DNS registrations for you.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
iamshergillCommented:
Provide me below information:

- Internal users are able to send mail to each other.
- What happens if external users send mail to abc.com and xyz.com? Is there any NDR Message that sender receives?


0
 
JRE_AssociatesAuthor Commented:
the domain abc.com belongs to another organization and are no longer be able to use it.
0
 
iamshergillCommented:
Hello JRE,

If abc.com belongs to another organization and you are not getting mails from external users in your messaging system for abc.com, it means that organization might have changed MX record.

Please go to www.mxtoolbox.com and enter your domain (abc.com). See MX record and whether the IP address is pointing to your server?
0
 
JRE_AssociatesAuthor Commented:
To elaborate, someone prior to me created our domain with abc.com, not understanding that abc.com is an actual public company and belongs to another organization, or maybe they thought we would never have email (it's been quite some time now since it was created).  They within the past 3 years installed exchange 2007 and created a san certificate with both domains to accomodate this configuration.  We have recently been contacted by the other organization noting that they will be utilzing their domain name  next year.  I am tasked to resolve this issue without recreating our domain or Exchange 2007.
0
 
Chris DentPowerShell DeveloperCommented:

Once you've installed Exchange 2007 you can no longer use the Domain Rename tool. If the AD Domain is called that it leaves little space for movement, typically leaving you with the migrate to a new forest option.

It won't stop you trying it, but it does have a big fat "not supported" flag, meaning if it breaks there's not much anyone can do to help you.

For reference: http://support.microsoft.com/kb/925822/en-us

I suggest you start looking at a migration if you need to relinquish abc.com.

Chris
0
 
iamshergillCommented:
If another organization is using domain abc.com, technically and legally you can not use that domain publicaly. However if your Active Directory domain is name is abc.com, that is something internal and you need not to change A.D. domain name. User's may have email address @abc.com and internally it will work.

But to accept mails from internet, you need to add additional domain in accept list (@xyz.com) and recipient list and make this as primary SMTP address for the user. you would have to request for new certificate with single domain name @xyz.com

Please let me know if your query is resolved.
0
 
iamshergillCommented:
Recipient List** = Recipient Policy
0
 
JRE_AssociatesAuthor Commented:
exchange is configured to accept email from domains abc.com and xyz.com.  The problem is that soon we will need to update our SAN certificate only to reflect entries from xyz.com.  Our internal domain remains abc.com.  I am looking to see if there is a way to resolve OWA internally with abc.com using ssl and resolve OWA externally using ssl for xyz.com
0
 
iamshergillCommented:
how many CAS you have?
0
 
JRE_AssociatesAuthor Commented:
I'll try to explain my situation a bit differently:
We have two domains.  Our internal domain was created for private use only.  However, our internal domain is actually another organizations public domain.  Why this was done?  I dont know.
Our company then decided to add email.  Our internal name does not correspond with our company name so we registered our public domain name with our company name.  

The error was then realized that we could not utlize our private domain name on the internet because it belonged to another organization.  Because of the relationship between the two companies which exists, our organization has been granted rights to utilize their domain nami.e.- we added their public domain name to our SAN certificate.

Fast forwarding, I am now tasked with resolving the issue of how do I  allow access for both internal and external OWA users, Outlook AnyWhere users, etc once we remove our private domain name from our SAN certificate.   We have ISA front ending this debacle as well, but I believe I can figure that component out if I can understand the framework to resolve the core issue.  

I was thinking that setting up split brain DNS would allow me to resolve users internally and externally with the correct records in place.  I still have the issue of the certificate error.
0
 
JRE_AssociatesAuthor Commented:
we are load balancing 2 cas servers
0
 
iamshergillCommented:
One more solution...

I believe the whole issue is because you wants to use single domain name to access OWA. If so, below is the solution:

- In DNS, create new zone with "xyz.com" name.
- Create a host record (ex. mail) in xyz.com zone which should point to your CAS.
- Get a certificate for xyz.com domain name only.
- Create a new Alias in abc.com and it should point to mail.xyz.com
You should tell all users to access htts://mail.xyz.com/owa (incase of exchange 2003 https://mail.xyz.com/exchange). Uses will be now be able to access OWA. Incase if any user type https://mail.abc.com/exchagne or https://mail.xyz.com/exchange, it will redirect to https://mail.xyz.com.

I believe this should fix your problem.
0
 
Chris DentPowerShell DeveloperCommented:
It won't redirect unless you do "something" on the web service.

Chris
0
 
iamshergillCommented:
Dear JRE_Associates,

Sorry to be bit rude, the way you just explained (ID: 34916178) your problem, is the correct way. you should elabourate your problem in starting in the same manner which could save our time.

Now i believe all my answers and question of no good.

Give me some time to provide your solution as per your new (Comment ID: 34916178).
0
 
JRE_AssociatesAuthor Commented:
Thus far I've already done what you've said except creating the alias in abc.com which is the private domain.  What would that be for?
0
 
JRE_AssociatesAuthor Commented:
No need to apologize.  I realized that I was not effectively communicating which is why I explained it differently.  Thank you for the insight.
0
 
JRE_AssociatesAuthor Commented:
FYI - we are using Exchange 2007
0
 
JRE_AssociatesAuthor Commented:
Thank you for your insight with this problem.  This answer was partially correct and I certainly appreciate all your insight into this matter.  I stated in the previous note that we are not able to renew the certificate with the other organizations name... even if it is only for our internal private use.  Nonetheless the process you provided earlier was on the right track:

1.) Create new SAN certificate with only my public namespace
2.) Created internal DNS zone for public namespace.
3.) Create SAN certificate records in new DNS zone
4.) Ensure all clients internal only utilize internal DNS to all name resolution.
5.) Install SAN certificate on CAS server.
6.) Export all certificates to appropriate servers - ISA, CAS, Edge, etc.
7.) Point all internal and external Exchange URL's to public namespace - https: mail.mycompany.org/owa (which is being resolved internally)
8.) Inform all internal users to connect to OWA with the
distributed link from #7

As they say - The devil is in the detail.  In my situation I have NLB CAS/HUB, EDGE, and ISA2006 servers to contend with.  I didnt document all the gory details involved but will at somepoint place all the information out for everyone who may have this same unfortunate circumstance as well.  

Thank you again for all your assistance.
0
 
JRE_AssociatesAuthor Commented:
Please note that comment : 02/17/11 08:21 AM, ID: 34916204
was the correct answer.  This is my first time using this service so I made a mistake in chosing the right comment.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.