Solved

exchange 2010 ucc certificate - internal fqdn problem

Posted on 2011-03-10
12
2,077 Views
Last Modified: 2012-05-11
I inherited an active directory running 2003 server/exchange.

The internal AD domain name is *not* unique on the internet.  The name is registered to a company completely unrelated to our internal network.  The network has a valid registered public domain name.

I am currently installing Server 2008 and Exchange 2010, and am going to have probalems requesting a UCC cert with SAN's including someone else's public domain name.

Questions:
1. Do I need to have the Exchange 2010 internal server name as a SAN
2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)
3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
0
Comment
Question by:snowdog_2112
  • 7
  • 3
  • 2
12 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 35101601
1. Do I need to have the Exchange 2010 internal server name as a SAN

no


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").
This is what you will need to do but with a slightly different approach

a. create a CAS array and call it say cas.yourdomain.com
b. configure all your internal and external urls to be say mail.yourdomain.com
c. change the rpc client access server on your databases to be cas.yourdomain.com

request your certificate with
mail.yourdomain.com
cas.yourdomain.com
autodiscover.yourdomain.com

0
 
LVL 8

Accepted Solution

by:
praveenkumare_sp earned 500 total points
ID: 35102613

Questions and Answers
1. Do I need to have the Exchange 2010 internal server name as a SAN

yes (but not absolutely necessary )


2. If I do need the internal FQDN, can I put *just* the hostname with no suffix (e.g., "exch10" instead of "exch10.public.domain"  - where "public.domain" is someone else's registered domain name)

FQDN without hostname can work
hostname without FQDN is of no use , its really waste


3. Can I use split DNS and create an A record combining the internal hostname of the Exchange 2010 server with my public dns suffix (e.g., "exch10.mydomain.com").

Instead of doing that why not follow the below answer.
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35102618
hope my comment helps to solve ur queries

let me know if u need more help :)
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:snowdog_2112
ID: 35103084
Thanks for quick follow-up.  I'll report back with my results, hopefully sometime tomorrow.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35103376
sure , do let me know the results

bye
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35106101
I am sorry praveenkumare_sp won't solve the issue

in all the steps you gave (which by the way are for exchange 2007 and not 2010 but will work for the most) you are proposing to changing them to a FQDN what FQDN are you talking about ? obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain the only solution is SPLIT DNS.

to snowdog_2112 did you install exchange 2010 or not yet ? if not while installing it you will be asked if you want it to be Internet facing click yes and enter mail.yourdomain.com in the text box this will simplify things for you

is there anything in my proposition that is not cleare
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35109014
[u]Akhater i beg to differ in this situation , [/u]i have seen cases where it works by changing the FQDN

The reason why u get certificate prompt :- Because u dont have the CAS FQDN in the certificate

Can we get the FQDN in the certificate :- No, as the FQDN has a name of a domain that belongs to another company

What workaround we have :- Not to put the CAS FQDN in the certificate, and change the internal url to external url .

How does this solve the problem:- As now no More CAS FQDN(internal URL) is in the picture ur clients wont get a certificate prompt
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35109028
i think the above statement is self explanatory and let me know if u have any concerns :)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35109065
:) this is exactly what Split DNS is to put in the certificate the FQDN corresponding to a domain you OWN and use this instead of the current cas fqdn

this is exactly what I told the OP to do in the first post
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35109138
Akhater i dont understand why have u said
" [b]obviously speaking this FQDN needs to be in the certificate and since the OP can only get a certificate for his external domain [/b]"

Open in new window


as my solution does not need or ask u to have the internal domain in the certificate it requires only to have external domain name




0
 

Author Closing Comment

by:snowdog_2112
ID: 35320080
Thanks for the help.  Exchange was already installed when we discovered that the previous IT support company had used someone else's public domain name for the internal AD name.  (we have also corrected our internal procedures to do a better "discovery phase" to prevent this with other customers of ours).
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35320134
good to hear ur issue is resolved
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question