Exchange 2010 Autodiscover SAN Certificate Questions

BPilot67
BPilot67 used Ask the Experts™
on
Hi I have a question on Autodiscover SAN Certifies.  I’m doing an Exchange 2010 Migration with 2003 Coexistence, DNS is configured as for example:  company.com (external) and company.local (Internal).  I know I need a SAN with for Example:  mail.company.com (for most web services), leagcey.company.com (for Exchange 2003), and autodiscover.company.com (for autodiscovery).  However, do I need to include autodiscover.company.local in the Certificate for autodisovcery to work properly on the LAN?  Or would it just be simpler / better to change the local autodicery directory to match autodiscover.company.com on the LAN side (does it not matter).  Are there any other names that I may / should want to include in the SAN certificate for basic function, such as company.com or company.local.  Finally, does the common name matter (is it best to match it to mail.comapny.com)?  Any thoughts or advice would be much appreciated.  Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
EE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
You have to include these names in you SAN

1.mail.externaldomain.com (create a new zone your internal DNS name it 'externaldomainname.com' and create an A         .                                                record mail.domain.com to access OWA with the same name from internal network)
2.exchservername.internaldomain.local
3.autodiscover.externaldomain.com (create an A record autodiscover.domain.com in your new DNS zone i.e.externaldomain.com)
4.Legacyserver.internaldomain.com


MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
mail.externaldomain.com and autodiscover.externaldomain.com in your internal DNS server should point to exchange2010 server internal IP
yes it is  it best to match it to mail.comapny.com, or u will have issues with Outlook Anywhere users , (which can be rectified)

Author

Commented:
Thanks for the comments guys. I see what you are saying here with the internal DNS zone created to resolve the external names to internal IP’s, so that makes sense.

However, doesn’t Autsodiscover work off of Service Connection Point (SCP) created in Active Directory, which would still map to the internal URL by default?  So with the settings described above would I not still have to alter the default autodiscover URL to company.com to avoid the certificate error?  Would not adding a name to the SAN for company.local also solve the problem?

In addition, with pointing the Legacy to legacy.compnay.local would I not also have to change the Exchange2003URL path to match legacy.compnay.local and point it in Internal DNS to the 2003 front end server?  Let me know if I am missing something.

Thanks again!
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
once the new zone is created and a new A record is created, inform all ur users to access OWA by this name i.e.mail.externaldomain.com. Otherwise you will have certificate error

no need to make any name change for legacy exchange.
hi BPilot67

Even though autodiscover url is pulled from the SCP it does not require any certificate, only the urls pulled by autodiscover(like oof, availability, oab...etc) need certificate.

and ur comment on Exchange2003URL is right, if u have external DNS it would work , just at that its expensive to allow a client to go to the external DNS to resolve when internal DNS can do the same

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial