[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

Exchange 2010 SAN certifice

I'm getting my SAN certificate soon and I need to confirm that I'm doing it right

MY Ineternet Name: ACME.COM

My AD: N.ACME.COM

My Exchange 2010 Server: Mail.IN.ACME.COM

MY CAS Is internat Faceing: OWA.ACME.ORG

We will be doing DAG but in the future. We will be adding another CAS server under the ACME.COM Domain. I do not know what the name of that server will be at this time.

I understand that I need the following info on the SAN:

owa.domain.com
autodiscover.domain.com
CAS server FQDN
CAS server name

In my case I assume that the info on my SAN should look like this then:

OWA.ACME.COM
autodiscover.ACME.COM
MAIL.IN.ACME.COM
MAIL

Is the above correct? What about the Cas servers that I will use in the future what can I do about that?



0
iamuser
Asked:
iamuser
  • 10
  • 6
  • 2
3 Solutions
 
Glen KnightCommented:
OK, what you need is:

OWA.ACME.COM (the OWA URL)
autodiscover.ACME.COM (Tha acme.com here must be what is used after the @ in the primary email address)
MAIL.IN.ACME.COM (the internal fully qualified domain name of your server)
MAIL (some recomend this, I have never added it to mine and have never experienced a problem)
0
 
iamuserAuthor Commented:
So when we add more Cas servers in the future will we have to update the SAN or get another SAN?
0
 
Glen KnightCommented:
yes, some SSL providers will allow you to re-key your certificate, others you may have to buy a new one.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
AkhaterCommented:
you do not need the name of your internal CAS servers what you should do is create a CAS array and add the name of the  cas array to the SAN certificate. all new servers you add in this site will be in the same cas array and you will not need to rekey your certificate nor add anything to it.

if you are having another site then it is another issue
0
 
Glen KnightCommented:
I wouldn't suggest you create a CAS array with only a single CAS server.

You can easily rekey your certificate later.  This is of course assuming you are talking about CAS Arrays
0
 
AkhaterCommented:
I'd have to disagree, creating a cas array even with a single server is the way to go since creating it later will not make outlook clients that are already configured to change from the cas server name to the cas array name and all these clienets will not benefit from the cas array

0
 
Glen KnightCommented:
Where does the author of this question mention CAS Arrays?
0
 
Glen KnightCommented:
It's also very easy to update the CAS Array setting for the users with EMS.

I'd be suprised if a single server CAS Array is a supported configuration.
0
 
AkhaterCommented:
the author doesn't ask about CAS arrays I am just explaining that by creating one the problem is solved and a singel CAS array config is of course supported I've done it countless times.
0
 
Glen KnightCommented:
because it works, doesn't mean it's supported.  Supported means if something doesn't work and you need to phone PSS then they will help you.
0
 
iamuserAuthor Commented:
What the heck is the Cas array? I have no idea what that is can someone explain?

We are planning to do a DAG in the new future but we don't know how many Cas servers are going to be added. This is definite

0
 
Glen KnightCommented:
A CASArray is 2 or more CAS Servers configured with a load Callander to provide high availability.

It's very different from a DAG.

I would ignore it completely until such a time comesxwhen you have more than one CAS server.
0
 
AkhaterCommented:
When you are working with Exchange 2010 and you are buidling a redundant environment a CAS array will be the cluster of your CAS servers. they will all have the same virtual name and you do a NLB (Network Load Balancing") between them to give you High Availability on the CAS side


Now, as I have explained before, the issue is that if you start your configuration with just one CAS server and you do not build a CAS array all your outlook clients will be configured to connect to the CAS server name. Then when you decide to add a second CAS server & create your CAS array Outlook configuration for clients that are already configured will NOT change automatically to the CAS array name. That means that your second CAS server will not be used by any existing client unless you change the config manually on all already existing outlook clients.

For that reason, leaving the certificate apart which comes in as a bonus, I recommend to always create a CAS array in the start, the first thing with your setup even if you have only one server. in that manner all outlook clients will connect to the CAS array name from the start and you can seamlessly add CAS servers as you go.


Hope it helps
0
 
Glen KnightCommented:
>>Then when you decide to add a second CAS server & create your CAS array Outlook configuration for clients that are already configured will NOT change automatically to the CAS array name

Outlook will not change automatically BUT it's very easy to change it so it does by using the Exchange Managenent Shell.

As I already mentioned, I would be very surprised if a single server CAS array is actually a supported configuration.
0
 
AkhaterCommented:
>>>Outlook will not change automatically BUT it's very easy to change it so it does by using the Exchange Managenent Shell. <<<


You will change it on Exchange it will NOT affect the outlook clients! and as I already said it is supported, call MS and ask

0
 
Glen KnightCommented:
We will have to agree to disagree, I can find no evidence to suggest it's not a supported configuration and you clearly have no evidence to suggest it is supported.

Just note, that to use DAG and CAS Array correctly you would need a minimum of 4 Exchange servers (2 mailbox & 2 CAS).  If you put the CAS on both mailbox servers you would need to use a hardware load balancer.
0
 
AkhaterCommented:
We agree to disagree no problem on the first part


for a DAG and CAS array to work correctly you can do it with 2 servers if you want there is no relation at all between the CAS array and the NLB of the cas servers.
0
 
Glen KnightCommented:
Sorry yes I should have been more specific.  I was referring to the actual cluster not the CAS Array.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 10
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now