exchange 2010 ucc certificate - internal fqdn problem

I inherited an active directory running 2003 server/exchange.

The internal AD domain name is *not* unique on the internet.  The name is registered to a company completely unrelated to our internal network.  The network has a valid registered public domain name.

I am currently installing Server 2008 and Exchange 2010, and am going to have probalems requesting a UCC cert with SAN's including someone else's public domain name.

Questions:
1. Do I need to have the Exchange 2010 internal server name as a SAN
2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)
3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
snowdog_2112Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
praveenkumare_spConnect With a Mentor Commented:

Questions and Answers
1. Do I need to have the Exchange 2010 internal server name as a SAN

yes (but not absolutely necessary )


2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)

FQDN without hostname can work
hostname without FQDN is of no use , its really waste


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").

Instead of doing that why not follow the below answer.
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.
0
 
AkhaterCommented:
1. Do I need to have the Exchange 2010 internal server name as a SAN

no


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
This is what you will need to do but with a slightly different approach

a. create a CAS array and call it say cas.yourdomain.com
b. configure all your internal and external urls to be say mail.yourdomain.com
c. change the rpc client access server on your databases to be cas.yourdomain.com

request your certificate with
mail.yourdomain.com
cas.yourdomain.com
autodiscover.yourdomain.com

0
 
praveenkumare_spCommented:
hope my comment helps to solve ur queries

let me know if u need more help :)
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
snowdog_2112Author Commented:
Thanks for quick follow-up.  I'll report back with my results, hopefully sometime tomorrow.
0
 
praveenkumare_spCommented:
sure , do let me know the results

bye
0
 
AkhaterCommented:
I am sorry praveenkumare_sp won't solve the issue

in all the steps you gave (which by the way are for exchange 2007 and not 2010 but will work for the most) you are proposing to changing them to a FQDN what FQDN are you talking about ? obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain the only solution is SPLIT DNS.

to snowdog_2112 did you install exchange 2010 or not yet ? if not while installing it you will be asked if you want it to be Internet facing click yes and enter mail.yourdomain.com in the text box this will simplify things for you

is there anything in my proposition that is not cleare
0
 
praveenkumare_spCommented:
[u]Akhater i beg to differ in this situation , [/u]i have seen cases where it works by changing the FQDN

The reason why u get certificate prompt :- Because u dont have the CAS FQDN in the certificate

Can we get the FQDN in the certificate :- No, as the FQDN has a name of a domain that belongs to another company

What workaround we have :- Not to put the CAS FQDN in the certificate, and change the internal url to external url .

How does this solve the problem:- As now no More CAS FQDN(internal URL) is in the picture ur clients wont get a certificate prompt
0
 
praveenkumare_spCommented:
i think the above statement is self explanatory and let me know if u have any concerns :)
0
 
AkhaterCommented:
:) this is exactly what Split DNS is to put in the certificate the FQDN corresponding to a domain you OWN and use this instead of the current cas fqdn

this is exactly what I told the OP to do in the first post
0
 
praveenkumare_spCommented:
Akhater i dont understand why have u said
" [b]obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain [/b]"

Open in new window


as my solution does not need or ask u to have the internal domain in the certificate it requires only to have external domain name




0
 
snowdog_2112Author Commented:
Thanks for the help.  Exchange was already installed when we discovered that the previous IT support company had used someone else's public domain name for the internal AD name.  (we have also corrected our internal procedures to do a better "discovery phase" to prevent this with other customers of ours).
0
 
praveenkumare_spCommented:
good to hear ur issue is resolved
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.