Solved

Exchange 2010 multi site certificates

Posted on 2013-01-10
5
538 Views
Last Modified: 2013-01-12
Hi All,

I have two sites in one AD domain. Each site has its own Exchange server 2010 hosting mailbox, HT, and internet facing CAS roles. We have multiple e-mail domains being accepted in this exchange environment.

@domain1.com
@domain2.com
@domain3.com

Our local DNS infrastructure is private and is abc.local

In site 1 (primary site) the exchange server is called ex1.abc.local and in site 2, the exchange server is ex2.abc.local.

mail.domain1.com points to ex1.abc.local and mail.domain2.com points to ex2.abc.local

MX records for the above domains:

domain1.com -> mail.domain1.com
domain2.com -> mail.domain2.com
domain3.com -> mail.domain1.com

Note: I need autodiscover to work properly for all domains.

Questions:

1- For each exchange server what are the specifics for each SAN certificate?
2- When SAN certificates are configured properly, will domain2 users going to https://mail.domain1.com/owa be redirected automatically to mail.domain2.com (if their mailbox resides there?)
3- Can I get away with godaddy's SAN certificates instead of having to pay a hefty fee from other providers?

Thanking you all in advance,

George
0
Comment
Question by:giorgio71
  • 3
  • 2
5 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38763944
Moving backwards... GoDaddy certificates - yes they are fine. I have deployed 100s of them.
If you get the external URLs configured correctly, if a user hits the "wrong" server they will be redirected to the correct server with their mailbox on it. You will need a unique host name for each server, configured as the external URL.

A single certificate is going to be your best option here, as GoDaddy will not allow the autodiscover record to apply on multiple certificates.

With the forthcoming changes to the SSL certificate issuing guidelines you will need to use an external host name internally via split DNS. As this only three host names I would do the following:

mail.domain1.com
mail.domain2.com
mail.domain3.com
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

Setup split DNS so that mail and autodiscover for each domain resolve internally as well, and adjust Exchange on each server to use those host names internally and externally. Don't forget web services and the AutodiscoverServiceInternalURI on set-clientaccessserver.

Make sure you have your AD sites setup correctly so that Autodiscover doesn't cross sites and have an RPC CAS Array per AD site as well.

Simon.
0
 

Author Comment

by:giorgio71
ID: 38764949
Thanks Simon,

Can i get away with not having split-dns?

Do i really need to have mail.domain3.com? domain3.com is only an incoming email domain and mx record for domain3.com is mail.domain1.com.

I bought a godaddy certificate with my internal name and they provided me with one recently. Is this expected to change soon?

Is there an article or pdf regarding the setup of this scenario.

I don't want to have more servers since the number of mailboxes is a around 300.

Thanks for the assistance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38765054
Split DNS cannot be avoided because you cannot use the internal names any longer. While you can get certificates with internal names at the moment, that will stop from October 2015 (IIRC). Therefore you need to move to the split DNS system at some point, you may as well move to it now. It takes all of 10 minutes to setup.

You only need autodiscover if you have mailboxes with that domain as their PRIMARY email address. If it is just an alias for other users then you don't need them.

The section on SSL certificates on my web site goes through the setup with this model.
http://exchange.sembee.info/2010/install/ssl.asp

Simon.
0
 

Author Comment

by:giorgio71
ID: 38769593
Thanks Simon for the valuable info.

Just one last confirmation, if  I may:

So if i use split-DNS.

Note: mail.domain3.com doesn't exist - mx points to mail.domain1.com

In site 1:

Certificate name: mail.domain1.com
SAN:
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

In site 2:

Certificate name: mail.domain2.com
SAN:


If not using split-DNS

I would add ex1.abc.local, autodiscover.abc.local  to Site 1's certificate, and ex2.abc.local to site 2's certificate.

Is that correct?

Thanking you in advance,

George
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38769890
You could deploy a single name SSL certificate in the second location if you wish. However you would need to change the server configuration to accommodate that. Nothing too difficult, but would need to be done to ensure that clients in that AD site can use Autodiscover etc.

http://exchange.sembee.info/2010/install/clientaccesshostnames.asp

While you can add internal names to the SSL certificates at the moment, from November 2015 (and for any certificates that expire after that date) you cannot. Therefore at some point you will have to implement split DNS - you may as well do so now.

Simon.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Read this checklist to learn more about the 15 things you should never include in an email signature.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question