Solved

UCC Cert issue with AD Top Level Domain

Posted on 2011-02-27
9
871 Views
Last Modified: 2012-05-11
Hello,

I recently took over this organization and now installed a brand new exchange 2010 in a 2003 Active Directory forest domain. The issue that I noticed is that the DNS name space and NETBIOS name of active directory in this organization is called "domain.ad" and the external FQDN for the exchange is "mail.domain.com"

When I requested a UCC cert which includes the internal FQDN of the exchange server, the authentication failed as .ad is owned by the country Andorra. In order for me to get a .ad external domain the requirement is that you are a local resident for that country.

The question I have are the following:
1) I cannot rename the active directory dns name or netbios name with rendom.exe as there are too many services such as Microsoft Lync 2010 running in the organization
2) What is the recommended way that I get the UCC issued. Can I just add the NETBIOS names and for the external domain just create a split DNS?
3) The UCC i ordered is for 10 domains as I will be installing two more exchange servers in different sites, how would this impact the cert?

Any help would be appreciated.
0
Comment
Question by:bbwonders
  • 4
  • 3
  • 2
9 Comments
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 34992758
Internal certs for Exchange and Lync (domain.ad) that only need to be trusted by your domain can be issued using Windows PKI. The 3rd party certs are only needed for your External namespace (mail.domain.com, lync.domain.com autodiscover.domian.com etc).

0
 
LVL 2

Author Comment

by:bbwonders
ID: 34992772
Thanks. I was reading some documentation that states to add the netbios name of the exchange CAS in the SAN. Can someone confirm if that's correct?
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 34992975
bbwonders,

that is correct. There are some recommendations to keep in mind when using commercial certs.
Adding the netbios name is one of them (as internal users would likely approach the server using https://servername).

Greets,

Michael
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 2

Author Comment

by:bbwonders
ID: 34993099
So to make it correct, if i request a UCC with the following would it work with a split DNS lets say.

1) CAEX01
2) CAEX02
3) NYEX01
4) NYEX02
5) CACAS
6) NYCAS
7) Autodiscover
8) mail.domain.com
9) CAUM01
10) NYUM01

In this example the only external domain name i have used is the mail.domain.com, I have not used a internal FQDN of the machine. In my internal DNS zone, I can create a domain.com and add the CNAME records for a split DNS. Can someone confirm and I will request the SAN cert from GoDaddy
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 34993428
We have a legacy domain name that has a non certable internal DNS as well. We added only our external domain names to the cert. It is not optimal, but it works.

mail.domain.com
mail.other.com
mail.other.com
owa.domain.com
autodiscover.domain.com

We added all these subject alternate names to the cert.

The internal name of the mail server is not listed in the cert.
0
 
LVL 11

Accepted Solution

by:
MichaelVH earned 125 total points
ID: 34994996
Indeed, it's possible to not add the internal domain name, but in that case your internal clients could be presented with cert-warnings, which is indeed suboptimal.

About the names that you added: you still have to add e.g. autodiscover.domain.com.

To work around the issue of the local domain name for which you cannot request a URL, I suggest that you change the value of the internal URL's to match these of the external URL's. That way your clients won't be getting a cert warning. For more information take a look here:
http://support.microsoft.com/kb/940726/en-us

Grts,

Michael
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 34999528
Just to add, I did not setup our current Exchange server, I was just mentioning that we have the exact same issue and have only the names listed in my previous post and do not get any cert errors on our clients. Not sure what was done to rectify this but it works without issues.
0
 
LVL 2

Author Comment

by:bbwonders
ID: 34999815
I think what Michael suggested is a good idea. That way i can do a split DNS and the internal users won't go out the network but still maintain the same name. Let me test today and get back to everyone.

Thanks!
H
0
 
LVL 2

Author Closing Comment

by:bbwonders
ID: 35130970
Worked based on the recommendation. Thanks!
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Find out what you should include to make the best professional email signature for your organization.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question