Solved

Exchange 2010 SAN certifice

Posted on 2011-02-24
18
247 Views
Last Modified: 2012-05-11
I'm getting my SAN certificate soon and I need to confirm that I'm doing it right

MY Ineternet Name: ACME.COM

My AD: N.ACME.COM

My Exchange 2010 Server: Mail.IN.ACME.COM

MY CAS Is internat Faceing: OWA.ACME.ORG

We will be doing DAG but in the future. We will be adding another CAS server under the ACME.COM Domain. I do not know what the name of that server will be at this time.

I understand that I need the following info on the SAN:

owa.domain.com
autodiscover.domain.com
CAS server FQDN
CAS server name

In my case I assume that the info on my SAN should look like this then:

OWA.ACME.COM
autodiscover.ACME.COM
MAIL.IN.ACME.COM
MAIL

Is the above correct? What about the Cas servers that I will use in the future what can I do about that?



0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 2
18 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 334 total points
ID: 34974807
OK, what you need is:

OWA.ACME.COM (the OWA URL)
autodiscover.ACME.COM (Tha acme.com here must be what is used after the @ in the primary email address)
MAIL.IN.ACME.COM (the internal fully qualified domain name of your server)
MAIL (some recomend this, I have never added it to mine and have never experienced a problem)
0
 

Author Comment

by:iamuser
ID: 34974824
So when we add more Cas servers in the future will we have to update the SAN or get another SAN?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34974833
yes, some SSL providers will allow you to re-key your certificate, others you may have to buy a new one.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 166 total points
ID: 34974886
you do not need the name of your internal CAS servers what you should do is create a CAS array and add the name of the  cas array to the SAN certificate. all new servers you add in this site will be in the same cas array and you will not need to rekey your certificate nor add anything to it.

if you are having another site then it is another issue
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34974909
I wouldn't suggest you create a CAS array with only a single CAS server.

You can easily rekey your certificate later.  This is of course assuming you are talking about CAS Arrays
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34974949
I'd have to disagree, creating a cas array even with a single server is the way to go since creating it later will not make outlook clients that are already configured to change from the cas server name to the cas array name and all these clienets will not benefit from the cas array

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34974955
Where does the author of this question mention CAS Arrays?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34974973
It's also very easy to update the CAS Array setting for the users with EMS.

I'd be suprised if a single server CAS Array is a supported configuration.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34975046
the author doesn't ask about CAS arrays I am just explaining that by creating one the problem is solved and a singel CAS array config is of course supported I've done it countless times.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34975056
because it works, doesn't mean it's supported.  Supported means if something doesn't work and you need to phone PSS then they will help you.
0
 

Author Comment

by:iamuser
ID: 34975372
What the heck is the Cas array? I have no idea what that is can someone explain?

We are planning to do a DAG in the new future but we don't know how many Cas servers are going to be added. This is definite

0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 334 total points
ID: 34975459
A CASArray is 2 or more CAS Servers configured with a load Callander to provide high availability.

It's very different from a DAG.

I would ignore it completely until such a time comesxwhen you have more than one CAS server.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34977616
When you are working with Exchange 2010 and you are buidling a redundant environment a CAS array will be the cluster of your CAS servers. they will all have the same virtual name and you do a NLB (Network Load Balancing") between them to give you High Availability on the CAS side


Now, as I have explained before, the issue is that if you start your configuration with just one CAS server and you do not build a CAS array all your outlook clients will be configured to connect to the CAS server name. Then when you decide to add a second CAS server & create your CAS array Outlook configuration for clients that are already configured will NOT change automatically to the CAS array name. That means that your second CAS server will not be used by any existing client unless you change the config manually on all already existing outlook clients.

For that reason, leaving the certificate apart which comes in as a bonus, I recommend to always create a CAS array in the start, the first thing with your setup even if you have only one server. in that manner all outlook clients will connect to the CAS array name from the start and you can seamlessly add CAS servers as you go.


Hope it helps
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977645
>>Then when you decide to add a second CAS server & create your CAS array Outlook configuration for clients that are already configured will NOT change automatically to the CAS array name

Outlook will not change automatically BUT it's very easy to change it so it does by using the Exchange Managenent Shell.

As I already mentioned, I would be very surprised if a single server CAS array is actually a supported configuration.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34977647
>>>Outlook will not change automatically BUT it's very easy to change it so it does by using the Exchange Managenent Shell. <<<


You will change it on Exchange it will NOT affect the outlook clients! and as I already said it is supported, call MS and ask

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977687
We will have to agree to disagree, I can find no evidence to suggest it's not a supported configuration and you clearly have no evidence to suggest it is supported.

Just note, that to use DAG and CAS Array correctly you would need a minimum of 4 Exchange servers (2 mailbox & 2 CAS).  If you put the CAS on both mailbox servers you would need to use a hardware load balancer.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34977702
We agree to disagree no problem on the first part


for a DAG and CAS array to work correctly you can do it with 2 servers if you want there is no relation at all between the CAS array and the NLB of the cas servers.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977731
Sorry yes I should have been more specific.  I was referring to the actual cluster not the CAS Array.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question