Solved

Exchange 2010 US/SAN Certificate

Posted on 2011-03-01
7
951 Views
Last Modified: 2012-08-14
Hi,

Just looking fro some validation.
I am in the process of renewing my UC certificate for Exchange 2010 and wanted to make sure I am considering the correct SAN entries.
We currently have a single multi-role 2010 server running CAS,, HT and Mailbox.
We are planning on adding a mailbox server for DAG and 4 additional servers to run CAS/HT so we can remove those roles from the current server and dedicate roles.

Microsoft states in the 2010 SP1 help to "In addition to using as few certificates as possible, you should also use as few host names as possible."
http://technet.microsoft.com/en-us/library/dd351044.aspx

Do they say this as they assume all clients are pointing to a CAS array where a DNS host record pointing to 'mail' resolves to an array with multiple CAS servers behind it?

What if you do not use a CAS array and have CAS servers geographically dispersed?
I guess, you will have to still use all the hostnames of the servers.


Our internal AD domain is:
company.net
Our External DNS is:
company.com

[b]-current SAN certificate detail:[/b]
Subject:
CN = mail.company.net
OU = Domain Control Validated
O = mail.company.net
 
Friendly Name:
Exchange05
 
SAN entries:
DNS Name=mail.company.net
DNS Name=www.mail.company.net (Not sure why this is in here)
DNS Name=company.com
DNS Name=company.net
DNS Name=autodiscover.company.net
DNS Name=server05
DNS Name=server05.clinipace.net

-New/Proposed SAN certificate detail:
Subject:
CN = mail.company.net
OU = Domain Control Validated
O = mail.company.net
 
Friendly Name:
mail.company.net
 
SAN entries:
DNS Name=mail.company.net
DNS Name=mail.company.com
DNS Name=company.com
DNS Name=company.net
DNS Name=autodiscover.company.net
DNS Name=server05
DNS Name=server05.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net


0
Comment
Question by:Intelli-Po
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 11

Expert Comment

by:MichaelVH
ID: 35010766
Hi,

1. I don't see the autodiscover.company.com in your list and you would definitely need that!
2. adding each hostname (+hostname of the casarray) for each CAS server. I currently see only one (unless you're not going for 2?)

Grts,

Michael
0
 

Author Comment

by:Intelli-Po
ID: 35010818
Thanks Michael,

Autodiscover.company.net is in there, does .com need to be?
On External DNS, there is an autodiscover.company.com and autodiscover.company.net that points-NATs to the internal record for autodiscover.company.net.

-New/Proposed SAN certificate detail:
Subject:
CN = mail.company.net
OU = Domain Control Validated
O = mail.company.net
 
Friendly Name:
mail.company.net
 
SAN entries:
DNS Name=mail.company.net
DNS Name=mail.company.com
DNS Name=company.com
DNS Name=company.net
DNS Name=autodiscover.company.net
DNS Name=server05
DNS Name=server05.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
DNS Name=<new server>
DNS Name=<new server>.company.net
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 35010859
Intelli-Pro,

you need the autodiscover.company.com if e.g. users are having email-addresses like user@company.com because that's where Outlook(or other) are going to look first.

Mail.company.com is needed because I suppose that's the URL they're going to use for OWA?

You don't actually need to add company.com and company.net.

Server05 on the other hand, you do need (and server05.company.net as well).

Grts,

Michael
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Intelli-Po
ID: 35010887
I see, would it make sense to have both in the cert?
autodiscover.company.com
autodiscover.company.net
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 35010898
Sorry,

the last line of my last post might be a bit confusing:

having server05.company.net (the FQDN of the server) is enough.

Michael
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 35010932
AFAIK you don't need the autodiscover.company.net (internal domain)
0
 
LVL 11

Accepted Solution

by:
MichaelVH earned 500 total points
ID: 35010946
So in your case, to make a resume

autodiscover.company.com
company.net
mail.company.com
server05.company.net

Grts

Michael
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2012 R2 SChannel Error 57 100
Outlook 2010 - Strange Address Books on every mailbox 1 54
Office 365 Spam 3 33
Exchange 2010 - Initialization failed 2 18
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question