• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 528
  • Last Modified:

DNS - SSL F

Hi Guys,

I want to setup an "A" record for our SSL FDQN in DNS.

This is INTERNALLY for "AutoDiscover" to find the Exchange server on the local IP.
Externally our remote.domain.com refers to the public IP.

I've included the entry in the host file on the individual workstations, and it works just fine.

I guess a better way, is to include the record in DNS as an "A" record.

- I should create the "A" record under Forward Lookup Zones
- There is currently two zones listed (local domain & _msdcs)

* Should I create a new zone under which to create the "A" record?
0
Rupert Eghardt
Asked:
Rupert Eghardt
  • 2
  • 2
  • 2
  • +1
4 Solutions
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
It's always better to use DNS server instead of hosts file. Could you tell me please what you want to add to DNS? (I need a little bit more detailed explanation)

You have domain.local zone and you want to add local DNS zone domain.com ? What IP and what FQDN you'd like to have?

Thank you in advance.

Regards,
Krzysztof
0
 
Rupert EghardtProgrammerAuthor Commented:
The FDQN of our SSL for Outlook Anywhere (example:  OWA)
remote.domain.com

We have to add this to the DNS so that the local workstations could discover the Exchange server locally.
Currently the remote.domain.com refers to a PUBLIC IP externally.
Internally we want to setup the DNS so that the remote.domain.com would refer to LOCAL IP (192.x.x.x)

I hope this explains.

Thus, I need to know where I should add the "A" record for remote.domain.com to refer back to local IP?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
ok, so create new DNS zone domain.com in your DNS server and add A host for remote with internaql OWA server's IP :)
This would work :)

Then you will have OWA resolved internally :)

Krzysztof
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
JaredJ1Commented:
You could create a new zone for your email domain name however you should be aware of what this willl do. I assume your internal domain name is something like 'domain.local' and you want to create 'emailaddressdomain.com'. You could do this, and create an A record for Autodiscover, however, your DNS server will become authoritative internally for this zone. If you attempt to visit your external website (www.emailaddressdomain.com) internally, the DNS name will not resolve unless you create all of those records also. i.e. the 'www' record and any other hostnames that are required.

Just one thing to note about autodiscover - this record is only used by non-domain joined computers/devices. All PC's that are members of the domain will get the autodiscover address via an AD service connection point lookup so if all of your computers are members of the domain you probably don't need it.
0
 
Rupert EghardtProgrammerAuthor Commented:
I also thought that AD should have provided the lookup.
However, we had certificate error on W/S and I could see that it was referring back to public IP.
After adding the entry to the W/S host file, the error was resolved.

I have not yet imported the certificate into ISA, we are still buy setting up the OutlookAnywhere.
Would ISA not refer the lookup back to the Exchange server internally?
0
 
JaredJ1Commented:
The AD lookup should definitely work if they clients are members of the domain. Perhaps there is something configured incorrectly. You can do an autodiscover test to see what hostnames are being returned by Outlook. Launch Outlook, then hold down the Ctrl key and right click on the Outlook icon in the system tray/notification area. Select 'Test Autodiscover'.

Enter your email address and password. Untick the two guesssmart boxes. Run the test and then look at the 'log' tab. It will tell you which server names it has found and if they responded.

Let me know the results. If you don't have a trusted certificate installed on the Exchange CAS server you may get prompted to state whether you trust the cert/server but it should still work.
0
 
InterframeGapCommented:
When dealing with autodiscover there are a few things to remember (assuming my brain has not failed me today):

1) If the client is part of the domain (machine account exists for client)
1a) If the machine is internal to the company
2) Clients trusted to the domain will look for the SCP
REF: (http://msdn.microsoft.com/en-us/library/ms677638.aspx)
object for the CAS array and for autodiscover
3) autodiscover follows this sequence:
 - https://domain.com/autodiscover/autodiscover.xml
-  if fail then>
---https://autodiscover.domain.com/autodiscover/autodiscover.xml
- if fail and OL 2010 SP1 then>
--- _SRV lookup for cas array

------------
External clients follow a slightly different path:
This may supply some good sleeping material if you have sleeping problems:
http://technet.microsoft.com/en-us/library/bb124251.aspx
http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx

Keep away from hostfiles... always use DNS. Host files are fine for testing and troubleshooting but not for production (unless you have a 3 user office).

If you have integrated DNS/DHCP with AD pending on the site design your clients will find the autodiscover.xml  (but that must be created)

this post might give you some information:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22662775.html

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now